Gcloud oidc connect full example

Integrations and Accounts
1

Is there a full example of authenticating to gcloud with OIDC identity federation?
Can not find one here.

Here is the terraform templates I use to configure oicd pool and provider at gcloud

resource "google_iam_workload_identity_pool" "circleci_oidc_pool" {
  provider                  = google-beta
  workload_identity_pool_id = "circleci-oidc-pool"
  project                   = var.project_id
  description               = "Workload Identity Pool for CircleCI managed by Terraform"
}

resource "google_iam_workload_identity_pool_provider" "circleci_oidc_provider" {
  provider                           = google-beta
  workload_identity_pool_provider_id = "circleci-oidc-provider"
  project                            = var.project_id
  workload_identity_pool_id          = google_iam_workload_identity_pool.circleci_oidc_pool.workload_identity_pool_id
  description                        = "Workload Identity Pool Provider for CircleCI managed by Terraform"
  attribute_mapping = {
    "google.subject"    = "assertion.sub"
    "attribute.aud"     = "assertion.aud"
    "attribute.project" = "assertion['oidc.circleci.com/project-id']"
  }

  oidc {
    allowed_audiences = []
    issuer_uri        = "https://oidc.circleci.com/org/${var.circleci_org_id}"
  }
}

# The service account that circleci oidc will assume
resource "google_service_account" "trf_srv_acc" {
  account_id   = "terraform"
  display_name = "Terraform-managed service account"
  project      = var.project_id
}

# service account connection with circleci workload identity federation
resource "google_service_account_iam_member" "trf_srv_acc_circleci" {
  service_account_id = google_service_account.trf_srv_acc.id
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.circleci_oidc_pool.name}/attribute.project/${var.circleci_project_id}"
}

and here is circleci config to execute login and execute a bucket list with gloud

version: 2.1

orbs:
  gcp-cli: circleci/gcp-cli@2.4.1

jobs:
  gcp-auth:
    docker:
      - image: cimg/base:stable
    environment:
      GCP_WORKLOAD_IDENTITY_PROVIDER: "projects/XXXXXX/locations/global/workloadIdentityPools/circleci-oidc-pool/providers/circleci-oidc-provider"
      GCP_SERVICE_ACCOUNT: "terraform@xxxxxx.iam.gserviceaccount.com"
      GCP_PROJECT_ID: "xxxxxxxx"
    steps:
      - checkout
      - gcp-cli/install
      - run:
          name: "GCP auth"
          command: |
            echo ${CIRCLE_OIDC_TOKEN} > .ci_job_jwt_file
            gcloud iam workload-identity-pools create-cred-config ${GCP_WORKLOAD_IDENTITY_PROVIDER} \
              --service-account="${GCP_SERVICE_ACCOUNT}" \
              --output-file=.gcp_temp_cred.json \
              --credential-source-file=.ci_job_jwt_file
            gcloud auth login --cred-file=`pwd`/.gcp_temp_cred.json
            cat `pwd`/.gcp_temp_cred.json
            gcloud auth list
            gcloud alpha storage ls --recursive gs://xxxxxxxxx/**

workflows:
  gcp-auth-workflow:
    jobs:
      - gcp-auth:
          context: gcp

This produces following error

ERROR: gcloud crashed (OAuthError): ('Error code invalid_grant: The audience in ID Token [xxxxxxxxxxxxxx] does not match the expected audience.', '{"error":"invalid_grant","error_description":"The audience in ID Token [xxxxxxxxxxxxxx] does not match the expected audience."}')
1 Like
2

Solved
google_iam_workload_identity_pool_provider allowed audiences should include the circleci org id as in

resource "google_iam_workload_identity_pool_provider" "circleci_oidc_provider" {
  provider                           = google-beta
  workload_identity_pool_provider_id = "circleci-oidc-provider"
  project                            = var.project_id
  workload_identity_pool_id          = google_iam_workload_identity_pool.circleci_oidc_pool.workload_identity_pool_id
  description                        = "Workload Identity Pool Provider for CircleCI managed by Terraform"
  attribute_mapping = {
    "google.subject"    = "assertion.sub"
    "attribute.aud"     = "assertion.aud"
    "attribute.project" = "assertion['oidc.circleci.com/project-id']"
  }

  oidc {
    allowed_audiences = [
        var.circleci_org_id
    ]
    issuer_uri        = "https://oidc.circleci.com/org/${var.circleci_org_id}"
  }
}
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.