gcp2aws

AWS credential helper for GCP.

Call AWS API using GCP credentials.

Requirements

GCP
- Authenticate with gcloud auth application-default login
- Service Accounts that allow you to impersonate(roles/iam.serviceAccountTokenCreator)
AWS
- IAM Roles that allow service accounts to sts:AssumeRoleWithWebIdentity

Installation

Using `go install`

go install github.com/porkbeans/gcp2aws@latest

Using GitHub Releases

For locally (e.g. `~/.local/bin`)

curl -sSL '<TAR_GZ_URL>' | tar -xz -C ~/.local/bin gcp2aws

For globally (e.g. `/usr/local/bin`)

curl -sSL '<TAR_GZ_URL>' | sudo tar -xz --no-same-owner -C /usr/local/bin gcp2aws

Usage

SYNOPSIS
    gcp2aws -i <SERVICE ACCOUNT EMAIL> -r <ROLE ARN> [-d <DURATION>]

OPTIONS
    -i <SERVICE ACCOUNT EMAIL>
        Service account email to impersonate.
    -r <ROLE ARN>
        Role ARN to AssumeRoleWithWebIdentity.
    -d <DURATION>
        Credential duration. Accept format for Go time.ParseDuration.
        See https://pkg.go.dev/time#ParseDuration

Examples

See Terraform Example to set up GCP Service Account and AWS IAM Role.

AssumeRole with impersonated GCP service account identity.

~/.aws/config

[profile example]
credential_process = /path/to/gcp2aws -r <ROLE ARN> -i <SERVICE ACCOUNT EMAIL>
region = <YOUR REGION>

Development

Required tools

go for compiling and testing
GNU make for task runner
direnv for loading environment variables for tests
gibo for updating .gitignore boilerplate

Preparing

cp example.env secret.env and edit each values in secret.env for your test environment.
direnv allow
make test to confirm that you can run tests

Similar projects

https://github.com/doitintl/janus

porkbeans/gcp2aws