A script in golang which demonstrates how to allow a user temporary, time-limited membership to a Google Group. (firecall access, just in time access)

You can use this to set on-demand firecall access based on google groups.

For example, if you need to let a specific user access to a…

BigQuery AEAD encryption functions uses TINK Keysets.

Works fine but all samples included there describe how to generate an encoded key using a BQ function itself: KEYS.NEW_KEYSET(‘AEAD_AES_GCM_256’)

However, what if you

a) already have a raw AEAD_AES_GCM_256 that you want to use with BQ or

b) you've already generated a…

Code snippet to create a GCS Signed URL in Cloud Run, Cloud Functions and GCE VMs

  • Why am i writing this repo?
    because it isn’t clear that in those environment that with some languages you can “just use” the default credentials (node, java) while in others you need to explicitly use…

Ever needed to know how Google Cloud IAM roles and permissions change over time? Ever wanted to map roles<->permissions thats easily queryable in a BQ dataset?

Why you ask?

The easiest usecase is to have a way to reverse map “which permissions are in this role? or Which roles include…

Kubernetes service for gRPC xDS loadbalancing that allows even distribution of k8s gRPC service->service api calls.

gRPC loadbalancinng can take many different schemes as described here Load Balancing in gRPC. The particular scheme described here is pretty unique and experimental: xDS server for gRPC.

Note, normally kubernetes services are exposed…

For some reason on a day i took off from work, i needed to use openssl to run a plain Key derivation function before i have to mow the lawn.

At first i found the man page here about that but it turns out its only available in openssl3+.

So, her’es a docker file with openssl3.0...you can access it here:



while you’re here, also see OpenSSL docker with TLS trace enabled ..which also compiles in fips with openssl3

now to go take care of the weeds…

— -

with FIPS

A simple client-server for TPM RemoteAttestation

TPM Remote attestation allows a remote server to “trust” that a specific TPM has signed some data or assert system state. Its cryptographically secure way to transfer secrets and do many more things.

The first step to establish trust is to setup a way a remote system can “prove” that…

A simple terraform provider that does HTTP POST and mTLS.

Hashicorp published a convenient HTTP datasource which i use time to time but realized its just for GET request.

Yesterday was a bit slow so i decided to modify the HTTP provider and add on a couple of extra features…

Samples in golang that enables the following where the private key or hmac secret is embedded with a TPM (Trusted Platform Module)

HMAC SignedURLs:

  • Import a GCS HMAC secret and use it to generate a SignedURL

RSA SignedURL:

  • Generate an RSA Private Key on a TPM
  • Use RSA Private Key…

Sample procedure to encrypt AWS Access Secret Access Key using GCP Tink and a way to embed the the Key into an HSM device supporting PKCS #11.

AWS secret key and ID can be thought of as a username/password and should be carefully managed, rotated, secured as described in Best…

salmaan rashid

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store