/workload-identity-federation

Configure OpenID Connect with GCP Workload Identity Federation

Primary LanguageHCL

Workload Identity Federation

Image

Workload Identity Federation allows secure and efficient access to Google Cloud resources from external environments like AWS, Azure, on-premises Active Directory, and deployment services such as GitHub and GitLab. Instead of using traditional service account keys, which pose security risks, it leverages IAM roles and service account impersonation for streamlined access.

Key Components

Workload Identity Pools: Manage external identities, recommended to create distinct pools for different environments (development, staging, production).

Workload Identity Pool Providers: Define relationships between Google Cloud and identity providers, including AWS, Azure AD, GitHub, GitLab, Kubernetes clusters, Okta, AD FS, and Terraform.

Create Workload Identity Federation Pool

  1. Create a new Workload Identity Pool named GitLab with the ID gitlab
  2. Select OpenID Connect (OIDC) as Provider

Add Workload Identity Federation Provider to the Pool (multiple providers can be added in a pool)

  1. Select OpenID Connect (OIDC) as provider

  2. Write a new Workload Identity Provider named Gitlab Test with the ID gitlab-test

  3. Issuer URL: https://gitlab.com/ (with trailing slash)

  4. keep the default audience. (Add if needed)

    NOTE:

    • The address must use the https:// protocol.
    • The address must not end in a trailing slash.
  5. Configure the provider attributes mapping

    google.subject to assertion.sub

    attribute.project_path to assertion.project_path

  6. save it.

Grant permissions for Service Account impersonation

  1. Create a new service account named gitlab-test

  2. Grant IAM permissions For example, if you needed to upload a file to a Google Cloud Storage bucket in your GitLab CI/CD job, you would grant this Service Account the roles/storage.objectCreator role on your Cloud Storage bucket.

  3. Grant the external identity permission using the following command. External identities are expressed using the principalSet:// protocol.

    gcloud iam service-accounts add-iam-policy-binding gitlab-test@<gcp-project>.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="principalSet://iam.googleapis.com/projects/906410504594/locations/global/workloadIdentityPools/gitlab/attribute.project_path/<gitlab-repository-path>"

    EXAMPLE

    gcloud iam service-accounts add-iam-policy-binding gitlab-test@<gcp-project>.iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="principalSet://iam.googleapis.com/projects/906410504594/locations/global/workloadIdentityPools/gitlab/attribute.project_path/ankitcharolia/gitlab-workload-identity"

rollout this tf module

inputs = {
    workload_identity_pool_id           = "gitlab-ci"
    workload_identity_pool_display_name = "gitlab-ci"
    workload_identity_pool_provider_id  = "terraform"
    service_account_name                = "gitlab-ci"
    service_account_display_name        = "gitlab-ci"
    service_account_description         = "service account for gitlab-ci"
}

Reference