Home

Awesome

gcp-jwt-go Go Reference Go Report Card Build Status Coverage Status

Google Cloud Platform (Cloud KMS, IAM API, & AppEngine App Identity API) jwt-go implementations

New with v2:

Google Cloud KMS now supports signatures and support has been added to gcp-jwt-go!

Breaking Changes with v2.2

Breaking Changes with v2.1

Breaking Changes with v2

To continue using the older version, please import as follows: import "gopkg.in/someone1/gcp-jwt-go.v1"

Features

gcp-jwt-go has basic implementations of using Google Cloud KMS, Google IAM API (both signJwt and signBlob), and the App Identity API from AppEngine Standard on Google Cloud Platform to sign JWT tokens using the dgrijalva/jwt-go package. Should work across virtually all environments, on or off of Google's Cloud Platform.

Getting Started

Please read the documentation at https://pkg.go.dev/github.com/someone1/gcp-jwt-go/v2

Performance

There are many tradeoffs which the various signing mechanism available from Google's Cloud Platform. Below you will find a chart of performance for the different algorithms and APIs. Here are some overall takeaways:

note: all latency numbers are ordered as (50th %ile, 95th %ile, 99th %ile). Tests were run on a F1 AppEngine Standard instance in the us-central region. All Cloud KMS keys are set to global.

Signing Performance

SignerSignature LengthSign LatencySamples
AppEngine3429.14 ms, 17.56 ms, 79.15 ms100
IAMBlob342198.37 ms, 217.42 ms, 244.91 ms100
IAMJWT342109.03 ms, 208.46 ms, 212.65 ms100
KMSES2568631.57 ms, 44.09 ms, 44.54 ms50
KMSES38412834.67 ms, 51.16 ms, 59.48 ms50
KMSPS256 (2048)34238.20 ms, 57.75 ms, 70.47 ms50
KMSPS256 (3072)51242.77 ms, 58.24 ms, 62.86 ms50
KMSPS256 (4096)68352.02 ms, 64.70 ms, 92.15 ms50
KMSRS256 (2048)34237.94 ms, 61.94 ms, 77.33 ms50
KMSRS256 (3072)51239.85 ms, 50.52 ms, 56.17 ms50
KMSRS256 (4096)68350.19 ms, 68.48 ms, 86.02 ms50

Verify Performance

VerifierCacheVerify LatencySamples
AppEngineVerifyfalse6.42 ms, 9.33 ms, 10.86 ms50
AppEngineVerifytrue0.87 ms, 1.05 ms, 25.03 ms50
IAMVerifyfalse12.52 ms, 21.45 ms, 30.63 ms100
IAMVerifytrue0.86 ms, 1.01 ms, 53.19 ms100
KMSVerify (2048-PS256)always0.88 ms, 1.01 ms, 32.15 ms50
KMSVerify (2048-RS256)always0.93 ms, 1.11 ms, 19.96 ms50
KMSVerify (3072-PS256)always1.53 ms, 1.71 ms, 43.35 ms50
KMSVerify (3072-RS256)always1.61 ms, 2.11 ms, 42.39 ms50
KMSVerify (4096-PS256)always2.94 ms, 66.88 ms, 71.60 ms50
KMSVerify (4096-RS256)always2.70 ms, 55.25 ms, 72.34 ms50
KMSVerify (ES256)always0.15 ms, 0.20 ms, 0.29 ms50
KMSVerify (ES384)always181.21 ms, 193.25 ms, 195.08 ms50

Where cache=false is where we get the most value from these numbers as it shows the time to fetch/parse public certificates, the other cases are just the time to use a cached certificate to validate the JWT.

Tips

# First, create the api-signer service account
gcloud beta iam service-accounts create api-signer --description="Tokens must be signed by this service account in order to authenticate to the API" --display-name="API Signer" --project=$PROJECT_ID

# Grant the AppEngine service account proper permissions to sign tokens on behalf of the service account we just created
gcloud beta iam service-accounts add-iam-policy-binding  api-signer@$PROJECT_ID.iam.gserviceaccount.com --member=serviceAccount:$PROJECT_ID@appspot.gserviceaccount.com --role=roles/iam.serviceAccountTokenCreator --project=$PROJECT_ID

Understand this process by reading this article.