feat: restrict default IAM credentials in SaaS mode for security#18161
Merged
d-bytebase merged 3 commits intomainfrom Nov 21, 2025
Merged
feat: restrict default IAM credentials in SaaS mode for security#18161d-bytebase merged 3 commits intomainfrom
d-bytebase merged 3 commits intomainfrom
Conversation
Disallow "Default" credential source for GCP, AWS, and Azure IAM authentication when Bytebase runs in SaaS mode on GKE. This prevents potential security risks from using ambient cluster credentials. Changes: - Frontend: Disable "Default" radio option with warning message in SaaS mode - Backend: Add validation to reject default credentials for IAM auth in SaaS mode - Add i18n strings in all supported locales (en, zh, ja, es, vi) - Force explicit credential configuration for all cloud IAM authentication types 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ng box Change the UI to display the "Default credentials not available" message as a tooltip when hovering over the disabled Default radio button, instead of showing it as a separate warning box below the radio group. This provides a cleaner UI while still communicating why the option is disabled. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Fix import order to pass Biome check. Move store import before proto imports to comply with import organization rules. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
ecmadao
approved these changes
Nov 21, 2025
github-actions bot
pushed a commit
that referenced
this pull request
Nov 21, 2025
) * feat: restrict default IAM credentials in SaaS mode for security Disallow "Default" credential source for GCP, AWS, and Azure IAM authentication when Bytebase runs in SaaS mode on GKE. This prevents potential security risks from using ambient cluster credentials. Changes: - Frontend: Disable "Default" radio option with warning message in SaaS mode - Backend: Add validation to reject default credentials for IAM auth in SaaS mode - Add i18n strings in all supported locales (en, zh, ja, es, vi) - Force explicit credential configuration for all cloud IAM authentication types 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * refactor: show IAM credential restriction as tooltip instead of warning box Change the UI to display the "Default credentials not available" message as a tooltip when hovering over the disabled Default radio button, instead of showing it as a separate warning box below the radio group. This provides a cleaner UI while still communicating why the option is disabled. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: organize imports in CredentialSourceForm Fix import order to pass Biome check. Move store import before proto imports to comply with import organization rules. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> (cherry picked from commit 45b64ed)
|
Successfully created backport PR for |
d-bytebase
added a commit
that referenced
this pull request
Nov 21, 2025
) (#18162) * feat: restrict default IAM credentials in SaaS mode for security Disallow "Default" credential source for GCP, AWS, and Azure IAM authentication when Bytebase runs in SaaS mode on GKE. This prevents potential security risks from using ambient cluster credentials. Changes: - Frontend: Disable "Default" radio option with warning message in SaaS mode - Backend: Add validation to reject default credentials for IAM auth in SaaS mode - Add i18n strings in all supported locales (en, zh, ja, es, vi) - Force explicit credential configuration for all cloud IAM authentication types 🤖 Generated with [Claude Code](https://claude.com/claude-code) * refactor: show IAM credential restriction as tooltip instead of warning box Change the UI to display the "Default credentials not available" message as a tooltip when hovering over the disabled Default radio button, instead of showing it as a separate warning box below the radio group. This provides a cleaner UI while still communicating why the option is disabled. 🤖 Generated with [Claude Code](https://claude.com/claude-code) * fix: organize imports in CredentialSourceForm Fix import order to pass Biome check. Move store import before proto imports to comply with import organization rules. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- (cherry picked from commit 45b64ed) Co-authored-by: Danny Xu <98006139+d-bytebase@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
vsai12
added a commit
that referenced
this pull request
Feb 6, 2026
…tance in SaaS mode The `credentialSource` watcher that sets `iamExtension` on the data source was not `immediate`, so it missed the value change made by the earlier `isDefaultCredentialDisabled` watcher during component setup. This caused GCP/AWS/Azure IAM credentials to never be initialized on new instance creation in SaaS mode, falling back to default credentials which don't exist. Regression from #18161 which added the SaaS mode credential restriction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Merged
3 tasks
d-bytebase
pushed a commit
that referenced
this pull request
Feb 7, 2026
…tance in SaaS mode (#19267) * fix(frontend): fix GCP IAM credentials not sent when creating new instance in SaaS mode The `credentialSource` watcher that sets `iamExtension` on the data source was not `immediate`, so it missed the value change made by the earlier `isDefaultCredentialDisabled` watcher during component setup. This caused GCP/AWS/Azure IAM credentials to never be initialized on new instance creation in SaaS mode, falling back to default credentials which don't exist. Regression from #18161 which added the SaaS mode credential restriction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove unused parameter to pass eslint check Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: format ternary to satisfy biome Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
d-bytebase
pushed a commit
that referenced
this pull request
Feb 7, 2026
…tance in SaaS mode (#19267) * fix(frontend): fix GCP IAM credentials not sent when creating new instance in SaaS mode The `credentialSource` watcher that sets `iamExtension` on the data source was not `immediate`, so it missed the value change made by the earlier `isDefaultCredentialDisabled` watcher during component setup. This caused GCP/AWS/Azure IAM credentials to never be initialized on new instance creation in SaaS mode, falling back to default credentials which don't exist. Regression from #18161 which added the SaaS mode credential restriction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove unused parameter to pass eslint check Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: format ternary to satisfy biome Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
d-bytebase
pushed a commit
that referenced
this pull request
Feb 7, 2026
…tance in SaaS mode (#19267) * fix(frontend): fix GCP IAM credentials not sent when creating new instance in SaaS mode The `credentialSource` watcher that sets `iamExtension` on the data source was not `immediate`, so it missed the value change made by the earlier `isDefaultCredentialDisabled` watcher during component setup. This caused GCP/AWS/Azure IAM credentials to never be initialized on new instance creation in SaaS mode, falling back to default credentials which don't exist. Regression from #18161 which added the SaaS mode credential restriction. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove unused parameter to pass eslint check Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: format ternary to satisfy biome Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Disallow "Default" credential source for GCP, AWS, and Azure IAM authentication when Bytebase runs in SaaS mode on GKE to prevent security risks from using ambient cluster credentials.
Changes
Frontend
Backend
validateIAMCredentialForSaaS()validation ininstance_service.goprofileto InstanceService for SaaS mode detectionSecurity Benefit
When Bytebase SaaS runs on GKE, the "Default" credential option could use the GKE cluster's service account credentials, which is a security risk. This change forces users to provide explicit credentials.
Test Plan
🤖 Generated with Claude Code