Workload Federation with GCP

Namespace relies on Workload Identity Federation to allow Namespace to interact with different systems, instead of relying on pre-shared keys which can be more easily compromised.

Accessing GCP resources from Namespace

Identity Federation with GCP allows your Namespace workloads to identify themselves to GCP using short-lived secure credentials.

To enable this federation, create a Workload Identity Pool and Provider for Namespace federation in GCP and configure service account impersonation.

Create a Workload Identity Pool and Provider

  1. Ensure IAM is enabled for your GCP project.

  2. Create a Workload Identity Pool using gcloud CLI:

    export POOL_ID=namespace-workload-pool
     
    gcloud iam workload-identity-pools create ${POOL_ID} \
        --location="global"
  3. Create an Identity Provider:

    export PROVIDER_ID=namespace-id-provider
     
    gcloud iam workload-identity-pools providers create-oidc \
        ${PROVIDER_ID} \
        --location="global" \
        --workload-identity-pool=${POOL_ID} \
        --issuer-uri="https://federation.namespaceapis.com" \
        --attribute-mapping="google.subject=assertion.tenant_id"

Configure service account impersonation

  1. Discover your GCP Project number. Note, this is different from the GCP Project ID:

    export PROJECT_NUMBER=$(gcloud projects list \
         --filter="$(gcloud config get-value project)" \
         --format="value(PROJECT_NUMBER)")
     
    echo ${PROJECT_NUMBER}
  2. Open the Dashboard and copy your Workspace ID.

  3. Allow external workloads to impersonate the service account by granting the Workload Identity User role roles/iam.workloadIdentityUser on the service account:

    export SERVICE_ACCOUNT=<NAME>@${PROJECT_ID}.iam.gserviceaccount.com
     
    gcloud iam service-accounts add-iam-policy-binding \
        ${SERVICE_ACCOUNT} \
        --project="${PROJECT_ID}" \
        --role="roles/iam.workloadIdentityUser" \
        --member="principal://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_ID}/subject/<your-workspace-id>"

Access GCP resources from a Namespace workload

  1. Obtain GCP credentials:

    nsc gcp impersonate --service_account $SERVICE_ACCOUNT \
        --workload_identity_provider /projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_ID}/providers/${PROVIDER_ID} \
        --write_creds=gcp-creds.json
  2. Apply the obtained credentials:

    export GOOGLE_APPLICATION_CREDENTIALS=gcp-creds.json
  3. Access GCP resources:

    gcloud storage cp test.txt gs://your-bucket-name/test2.txt

Accessing Namespace resources from GCP

Identity Federation with GCP allows your GCP-based workloads to identify themselves to Namespace using short-lived secure credentials. To enable this federation, we rely on GCP's ability to generate OIDC tokens that can be exchanged for Namespace credentials.

Establish a trust relationship in Namespace

To establish a trust relationship between your GCP project and your Namespace workspace, please reach out to our support team. Please provide us with your workspace ID (found in the Dashboard), and the unique ID of your service account.

gcloud iam service-accounts describe SERVICE_ACCOUNT_EMAIL --format="value(uniqueId)"

Obtain Namespace credentials from a GCP workload

Using a GCP service account or workload with the appropriate permissions, you can obtain Namespace credentials as follows:

  1. Generate a GCP OIDC token targeting Namespace:

    export OIDC_TOKEN=$(gcloud auth print-identity-token --audiences=https://federation.namespaceapis.com)
  2. Exchange the OIDC token for Namespace credentials:

    nsc auth exchange-oidc-token \
        --token $OIDC_TOKEN \
        --tenant_id <workspace-id>

    This command should succeed with the name of workspace you've signed in to. It stores a short-lived token that will be used automatically in subsequent calls.