GCP OIDC - support strings in project ID
Closed this issue · 2 comments
Right now we expect project ID to be number. A customer has asked to support this.
gcp:
login:
fn::open::gcp-login:
project:
oidc:
workloadPoolId:
providerId:
serviceAccount:
I don't think that this is possible, unfortunately.
All of the documentation, examples, etc. that I can find--including Google's official authentication action for GitHub Actions--explicitly expects the project number.
- STS API docs: https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token#request-body
- Official
google-github-actions/auth@v2
action documentation: https://github.com/google-github-actions/auth?tab=readme-ov-file#inputs-workload-identity-federation
From what I can tell, the most straightforward way to get the number for a project is to use the gcloud
CLI to print the number to the terminal:
$ gcloud projects describe [project ID] --format="get(projectNumber)"
1234567890123
@pgavlin Having bumped into it today and following a discussion on Slack with @automagic here's some context :
The documentations related to the GCP OIDC configuration https://www.pulumi.com/registry/packages/gcp/installation-configuration/ and https://www.pulumi.com/docs/pulumi-cloud/oidc/gcp/ make it unclear what should be put in the project
parameter of the gcp-login
function.
There's a sentence "Enter the numerical ID of your Google Cloud project in the “Project ID” field." in the section https://www.pulumi.com/docs/pulumi-cloud/oidc/gcp/#pulumi-deployments-1 but that's in a dedicated section you can skip (I did), everywhere else it's labelled project-id
, which is misleading.
You should at least change in the documentation the label as project-number
to match Google's own nomenclature, and maybe add a note about how to retrieve it.