Terraform module to to configure workload identity federation for OIDC on GCP.
Traditionally, applications running outside Google Cloud have used long-lived JSON service account keys to access Google Cloud resources. Service account keys are powerful credentials and can represent a security risk if they are not managed correctly.
Benefits of identity federation include:
- Fine-grained scoping
- Short-lived credentials
- Minimal management overhead
Identity federation also allows the use of service accounts for authentication when key creation is disabled via organization policy constraints like constraints/iam.disableServiceAccountKeyCreation
.
Required APIs & Services:
cloudresourcemanager.googleapis.com
iam.googleapis.com
iamcredentials.googleapis.com
sts.googleapis.com
data "google_service_account" "preexisting" {
account_id = "preexisting"
}
module "github-wif" {
source = "mscribellito/workload-identity-federation/google"
project_id = var.project_id
pool_id = "github-pool"
provider_id = "github-provider"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.actor" = "assertion.actor"
"attribute.aud" = "assertion.aud"
"attribute.repository" = "assertion.repository"
}
issuer_uri = "https://token.actions.githubusercontent.com"
service_accounts = [
{
name = data.google_service_account.preexisting.name
attribute = "attribute.repository/my-org/my-repo"
all_identities = true
}
]
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
project_id | The ID of the project | string |
n/a | yes |
pool_id | Workload Identity Pool ID | string |
n/a | yes |
pool_display_name | Workload Identity Pool display name | string |
null |
no |
pool_description | Workload Identity Pool description | string |
"Workload Identity Pool managed by Terraform" |
no |
pool_disabled | Workload Identity Pool disabled | bool |
false |
no |
provider_id | Workload Identity Pool Provider ID | string |
n/a | yes |
provider_display_name | Workload Identity Pool Provider display name | string |
null |
no |
provider_description | Workload Identity Pool Provider description | string |
"Workload Identity Pool Provider managed by Terraform" |
no |
provider_disabled | Workload Identity Pool Provider disabled | bool |
false |
no |
attribute_mapping | Workload Identity Pool Provider attribute mapping | map(any) |
n/a | yes |
attribute_condition | Workload Identity Pool Provider attribute condition expression | string |
null |
no |
allowed_audiences | Workload Identity Pool Provider allowed audiences | list(string) |
[] |
no |
issuer_uri | Workload Identity Pool Provider issuer URL | string |
n/a | yes |
service_accounts | Service Account resource names and corresponding provider attributes | list(object({ |
n/a | yes |
Name | Description |
---|---|
pool_id | Identifier for the pool |
pool_state | State of the pool |
pool_name | Name for the pool |
provider_id | Identifier for the provider |
provider_state | State of the provider |
provider_name | Name for the provider |