Skip to content
/ workload-identity-federation Public

Configure OpenID Connect with GCP Workload Identity Federation

4 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ankitcharolia/workload-identity-federation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
images
images
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Workload Identity Federation

Image

Workload Identity Federation allows secure and efficient access to Google Cloud resources from external environments like AWS, Azure, on-premises Active Directory, and deployment services such as GitHub and GitLab. Instead of using traditional service account keys, which pose security risks, it leverages IAM roles and service account impersonation for streamlined access.

Key Components

Workload Identity Pools: Manage external identities, recommended to create distinct pools for different environments (development, staging, production).

Workload Identity Pool Providers: Define relationships between Google Cloud and identity providers, including AWS, Azure AD, GitHub, GitLab, Kubernetes clusters, Okta, AD FS, and Terraform.

Steps: Workload Identity Federation

Create Workload Identity Federation Pool

  1. Create a new Workload Identity Pool named GitLab with the ID gitlab
  2. Select OpenID Connect (OIDC) as Provider

Add Workload Identity Federation Provider to the Pool (multiple providers can be added in a pool)

  1. Select OpenID Connect (OIDC) as provider

  2. Write a new Workload Identity Provider named Gitlab Test with the ID gitlab-test

  3. Issuer URL: https://gitlab.com/ (with trailing slash)

  4. keep the default audience. (Add if needed)

    NOTE:

    • The address must use the https:// protocol.
    • The address must not end in a trailing slash.

  5. Configure the provider attributes mapping

    google.subject to assertion.sub

    attribute.project_path to assertion.project_path

  6. save it.

Grant permissions for Service Account impersonation

  1. Create a new service account named gitlab-test

  2. Grant IAM permissions For example, if you needed to upload a file to a Google Cloud Storage bucket in your GitLab CI/CD job, you would grant this Service Account the roles/storage.objectCreator role on your Cloud Storage bucket.

  3. Grant the external identity permission using the following command. External identities are expressed using the principalSet:// protocol.

    gcloud iam service-accounts add-iam-policy-binding gitlab-test@<gcp-project>.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="principalSet://iam.googleapis.com/projects/906410504594/locations/global/workloadIdentityPools/gitlab/attribute.project_path/<gitlab-repository-path>"

    EXAMPLE

    gcloud iam service-accounts add-iam-policy-binding gitlab-test@<gcp-project>.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="principalSet://iam.googleapis.com/projects/906410504594/locations/global/workloadIdentityPools/gitlab/attribute.project_path/ankitcharolia/gitlab-workload-identity"

rollout this tf module

inputs = {
    workload_identity_pool_id           = "gitlab-ci"
    workload_identity_pool_display_name = "gitlab-ci"
    workload_identity_pool_provider_id  = "terraform"
    service_account_name                = "gitlab-ci"
    service_account_display_name        = "gitlab-ci"
    service_account_description         = "service account for gitlab-ci"
}

Reference

About

Configure OpenID Connect with GCP Workload Identity Federation

Topics

gcp gitlab-ci openid openid-connect workload-identity workload-identity-federation

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages