To use GCP Dynamic Provider Credentials to authenticate to GCP without storing any sensitive credential in a workspace please use the following:

Workload Identity Federation

To create an identity federation open the you GCP project and create a new identity pool

Select OIDC , add a provider name, use the Terrakube API for the issuer URL and leave the default audience

Setup the provider attributes, the mapping should look like the following:

OIDC 1:

assertion.sub

Condition CEL

assertion.sub.startsWith("organization:TERRAKUBE_ORGANIZATION_NAME:workspace:TERRAKUBE_WORKSPACE_NAME")

Once the identity provider is created we need to grant access to one particular service account that has the require access permission for our Terraform deployments

Terrakube Workspace Setup

To enable gcp dynamic credentials in our workspace inside Terrakube we need to add the following environment variables:

• ENABLE_DYNAMIC_CREDENTIALS_GCP=true

• WORKLOAD_IDENTITY_SERVICE_ACCOUNT_EMAIL=xxxx@xxxx.iam.gserviceaccount.com

• WORKLOAD_IDENTITY_AUDIENCE_GCP=//iam.googleapis.com/projects/{{PROJECT-NUMBER}}/locations/global/workloadIdentityPools/{{PROJECT_NAME}}/providers/{{PROVIDER}}

Your workspace should look like the following:

When you workspace job is running Terrakube will autenthicate to your GCP project automatically without using any kind of credential like the following example:

terraform {

  cloud {
    organization = "simple"
    hostname = "8080-azbuilder-terrakube-2vs2w68kc0p.ws-us110.gitpod.io"

    workspaces {
      name = "simple"
    }
  }
}

provider "google" {
  project     = "XXXXXXX"
  region      = "us-central1"
  zone        = "us-central1-c"
}

resource "google_storage_bucket" "auto-expire" {
  name          = "XXXXXXXXX"
  location      = "US"
  force_destroy = true

  public_access_prevention = "enforced"
}