GCP Dynamic Provider Credentials
To use GCP Dynamic Provider Credentials to authenticate to GCP without storing any sensitive credential in a workspace please use the following:
Workload Identity Federation
To create an identity federation open the you GCP project and create a new identity pool
Select OIDC , add a provider name, use the Terrakube API for the issuer URL and leave the default audience
You can copy the audience value without the "https", this value will be require in your Terrakube workspace.
Setup the provider attributes, the mapping should look like the following:
OIDC 1:
Condition CEL
Once the identity provider is created we need to grant access to one particular service account that has the require access permission for our Terraform deployments
Terrakube Workspace Setup
To enable gcp dynamic credentials in our workspace inside Terrakube we need to add the following environment variables:
ENABLE_DYNAMIC_CREDENTIALS_GCP=true
WORKLOAD_IDENTITY_SERVICE_ACCOUNT_EMAIL=xxxx@xxxx.iam.gserviceaccount.com
WORKLOAD_IDENTITY_AUDIENCE_GCP=//iam.googleapis.com/projects/{{PROJECT-NUMBER}}/locations/global/workloadIdentityPools/{{PROJECT_NAME}}/providers/{{PROVIDER}}
Make sure there are no GOOGLE_CREDENTIALS or GOOGLE_APPLICATION_CREDENTIALS in your workspace configuration
Your workspace should look like the following:
When you workspace job is running Terrakube will autenthicate to your GCP project automatically without using any kind of credential like the following example:
Last updated