authenticating GCP providers with workload identity federation.

[mikhail-khodorovskiy]

If you have a support request or question please submit them to one of these resources:

• Terraform community resources
• HashiCorp support (Terraform Enterprise customers)
• Google Cloud Platform Slack

Is there a way for provider to use
https://pkg.go.dev/golang.org/x/oauth2/google#hdr-Workload_Identity_Federation, specifically using https://cloud.google.com/iam/docs/access-resources-aws when the key was created using

gcloud beta iam workload-identity-pools create-cred-config
projects/project-number/locations/global/workloadIdentityPools/pool-id/providers/provider-id
--service-account=service-account-email
--output-file=filepath
--aws

and

GOOGLE_APPLICATION_CREDENTIALS points to the output file.

References

• b/182512166

[venkykuberan]

Have you tried using the creds created by the command ?. I don't have an AWS setup to test it, Please try running the provider with the creds created and let us know the behavior.

[slevenick]

We currently support impersonating service accounts using OAuth 2 tokens. Does this work for your use case?

[upodroid]

The oauth2 module is old.

 REDACTED  MCW0CDP3YY  ~  go  …  github.com  hashicorp  terraform-provider-google   ⚓ 6e2b7c8e6  $    git status
HEAD detached at v3.59.0
nothing to commit, working tree clean
 REDACTED  MCW0CDP3YY  ~  go  …  github.com  hashicorp  terraform-provider-google   ⚓ 6e2b7c8e6  $    go list -m golang.org/x/oauth2
golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5

Correct version is mentioned at https://cloud.google.com/iam/docs/access-resources-aws#generate-automatic

[upodroid]

One caveat is that the JSON file must be set via the GOOGLE_APPLICATION_CREDENTIALS.

terraform-provider-google/google/config.go

Line 834 in e1e9caf

func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials, error) {

DefaultTokenSource calls https://pkg.go.dev/golang.org/x/oauth2/google#FindDefaultCredentials which supports Workload Identity Fed.

[upodroid]

@mikhail-khodorovskiy This should be fixed in v3.61 of the provider which should be coming out soon.

The dependancy was bumped in #8686

[upodroid]

v3.61 of the provider has now been released. Please try it out.

[mikhail-khodorovskiy]

Using version 3.61 still produces the problem:

Error: Error applying IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com': googleapi: Error 400: The member principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadidentitypools/journi-dev-identity-pool/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage is of an unknown type. Please set a valid type prefix for the member., badRequest

off

provider "google-beta" {
  version = "~> 3.61.0"
  region  = var.region
}

resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
  provider           = google-beta
  service_account_id = google_service_account.janus.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/projects/${var.tools_project_number}/locations/global/workloadIdentityPools/${var.environment_name}-identity-pool/attribute.aws_role/arn:aws:sts::${var.paired_aws_account_id}:assumed-role/circle-runner-stack-stage"
}

3.62.0 beta provider does not work either.

[upodroid]

That error has nothing to do with the initial bug report.

It looks like this command is failing for you.

Run that with gcloud and see if the error is still happening. You may need to reach out to Google Support if you are unable to do this via gcloud.

[mikhail-khodorovskiy]

I had an error with id of the pool but even if I fixed it, the gcloud command now works but the google_service_account_iam_member does not:

# role to assume: arn:aws:iam::{aws_account_id}:role/circle-runner-stack-stage
resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
  count              = length(var.paired_aws_account_id) > 0 ? 1 : 0
  provider           = google-beta
  service_account_id = google_service_account.janus.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/projects/${var.tools_project_number}/locations/global/**workloadIdentityPools**/${local.identity_pool_id}/attribute.aws_role/arn:aws:sts::${var.paired_aws_account_id}:assumed-role/circle-runner-stack-stage"
  depends_on         = [google_iam_workload_identity_pool.identity_pool]
}

Terraform will perform the following actions:

  # module.journi-dev.module.external_service_accounts.google_service_account_iam_member.janus_google_sa_stack_stage_role[0] will be created
  + resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
      + etag               = (known after apply)
      + id                 = (known after apply)
      + member             = "principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadIdentityPools/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage"
      + role               = "roles/iam.workloadIdentityUser"
      + service_account_id = "projects/journi-dev-tools-ef29/serviceAccounts/janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.journi-dev.module.external_service_accounts.google_service_account_iam_member.janus_google_sa_stack_stage_role[0]: Creating...

Error: Error applying IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/journi-dev-tools-ef29/serviceAccounts/janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com': googleapi: Error 400: The member principalSet://iam.googleapis.com/projects/723946056346/locations/global/**workloadidentitypools**/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage is of an unknown type. Please set a valid type prefix for the member., badRequest

  on ../../modules/external_service_accounts/main.tf line 85, in resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role":
  85: resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {

equivalent gcloud command:

 gcloud iam service-accounts add-iam-policy-binding janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadIdentityPools/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage --project journi-dev-tools-ef29
Updated IAM policy for serviceAccount [janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com].
bindings:
- members:
  - serviceAccount:janus-google@journi-dev-tools-ef29.iam.gserviceaccount.com
  role: roles/iam.serviceAccountKeyAdmin
- members:
  - principalSet://iam.googleapis.com/projects/723946056346/locations/global/workloadIdentityPools/journi-dev-aws-idp/attribute.aws_role/arn:aws:sts::445930290302:assumed-role/circle-runner-stack-stage
  role: roles/iam.workloadIdentityUser
etag: BwW_PtpN_vQ=
version: 1

[mikhail-khodorovskiy]

Looks like somehow the member is called to_lower before submitting to GCP API call where "workloadIdentityPools" needs to stay with case I described.

If I try to use gcloud all lower case, I get the same error as Terraform.

# role to assume: arn:aws:iam::{aws_account_id}:role/circle-runner-stack-stage
resource "google_service_account_iam_member" "janus_google_sa_stack_stage_role" {
  count              = length(var.paired_aws_account_id) > 0 ? 1 : 0
  provider           = google-beta
  service_account_id = google_service_account.janus.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/projects/${var.tools_project_number}/locations/global/workloadIdentityPools/${local.identity_pool_id}/attribute.aws_role/arn:aws:sts::${var.paired_aws_account_id}:assumed-role/circle-runner-stack-stage"
  depends_on         = [google_iam_workload_identity_pool.identity_pool]
}

workloadIdentityPools can't be lower cased before being submitted to GCP.

[upodroid]

yeah, that is a known issue #7852 . It is being worked on

[upodroid]

@rileykarson We can close this now. Both issues have been fixed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.