Terraform module to to configure workload identity federation for OIDC on GCP.
Traditionally, applications running outside Google Cloud have used long-lived JSON service account keys to access Google Cloud resources. Service account keys are powerful credentials and can represent a security risk if they are not managed correctly.
Benefits of identity federation include:
- Fine-grained scoping
- Short-lived credentials
- Minimal management overhead
Identity federation also allows the use of service accounts for authentication when key creation is disabled via organization policy constraints like constraints/iam.disableServiceAccountKeyCreation.
Required APIs & Services:
cloudresourcemanager.googleapis.comiam.googleapis.comiamcredentials.googleapis.comsts.googleapis.com
data "google_service_account" "preexisting" {
account_id = "preexisting"
}
module "github-wif" {
source = "mscribellito/workload-identity-federation/google"
project_id = var.project_id
pool_id = "github-pool"
provider_id = "github-provider"
attribute_mapping = {
"google.subject" = "assertion.sub"
"attribute.actor" = "assertion.actor"
"attribute.aud" = "assertion.aud"
"attribute.repository" = "assertion.repository"
}
issuer_uri = "https://token.actions.githubusercontent.com"
service_accounts = [
{
name = data.google_service_account.preexisting.name
attribute = "attribute.repository/my-org/my-repo"
all_identities = true
}
]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| project_id | The ID of the project | string |
n/a | yes |
| pool_id | Workload Identity Pool ID | string |
n/a | yes |
| pool_display_name | Workload Identity Pool display name | string |
null |
no |
| pool_description | Workload Identity Pool description | string |
"Workload Identity Pool managed by Terraform" |
no |
| pool_disabled | Workload Identity Pool disabled | bool |
false |
no |
| provider_id | Workload Identity Pool Provider ID | string |
n/a | yes |
| provider_display_name | Workload Identity Pool Provider display name | string |
null |
no |
| provider_description | Workload Identity Pool Provider description | string |
"Workload Identity Pool Provider managed by Terraform" |
no |
| provider_disabled | Workload Identity Pool Provider disabled | bool |
false |
no |
| attribute_mapping | Workload Identity Pool Provider attribute mapping | map(any) |
n/a | yes |
| attribute_condition | Workload Identity Pool Provider attribute condition expression | string |
null |
no |
| allowed_audiences | Workload Identity Pool Provider allowed audiences | list(string) |
[] |
no |
| issuer_uri | Workload Identity Pool Provider issuer URL | string |
n/a | yes |
| service_accounts | Service Account resource names and corresponding provider attributes | list(object({ |
n/a | yes |
| Name | Description |
|---|---|
| pool_id | Identifier for the pool |
| pool_state | State of the pool |
| pool_name | Name for the pool |
| provider_id | Identifier for the provider |
| provider_state | State of the provider |
| provider_name | Name for the provider |