A CLI command tool to generate authentication files for gcloud or Cloud Client Library
Embeded the google-cloud-auth image to your specific Gitlab Pipeline/Components and run google-cloud-auth generate-credentials ... commands
to generate Workload Identity Federation credential file to authenticate requests to GCP via gcloud or Google Cloud Client Libraries.
To authenticate with gcloud, you need to set GCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE to the generated credential file path.
To authenticate with Google Client Library, you need to set GOOGLE_APPLICATION_CREDENTIALS to the generated credential file path.
-
oidc-jwt_env_var: (Optional) The Env Var (without "$") containing full OIDC JWT provided by Gitlab, can be found asid_tokens.GCP_OIDC_JWTin the Gitlab CI/CD config.id_tokens: GCP_OIDC_JWT: aud: ... -
workload-identity-provider: (Optional) The full identifier of the Workload Identity Provider, including the project number, pool name, and provider name. If provided, this must be the full identifier which includes all parts://iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id> -
service-account: (Optional) Email address or unique identifier of the Google Cloud service account for which to impersonate and generate credentials. For example:my-service-account@my-project.iam.gserviceaccount.comWithout this input, the Gitlab Components using this binary will use Direct Workload Identity Federation. If this input is provided, the Gitlab Components will use Workload Identity Federation through a Service Account.
-
credentials-json-output-path: (Optional) The full file path of the output credentials json, default to/tmp/gcp-credentials.json. -
credentials-json-env-var: (Optional) The env var containing user-provided credentials. The credentials will be write tocredentials-json-output-pathif provided.