logo

Identity Federation with GCP

Identity Federation with Google Cloud Platform allows your Namespace workloads to identify themselves to GCP using short-lived secure credentials.

To enable this federation, create Workload Identity Pool and Provider for Namespace federation in GCP and configure a service account impersonation.

Before you proceed, don't forget to first enable the GCP IAM service for your GCP project.

Enable IAM

Creating Workload Identity Pool and Provider

  • To create workload identity pool using gcloud CLI run the following command:
export POOL_ID=namespace-workload-pool
 
gcloud iam workload-identity-pools create ${POOL_ID} --location="global"
  • Then create identity provider and provide workload identity pool that was created in the previous step:
export PROVIDER_ID=namespace-id-provider
 
gcloud iam workload-identity-pools providers create-oidc \
    ${PROVIDER_ID} \
    --location="global" \
    --workload-identity-pool=${POOL_ID} \
    --issuer-uri="https://federation.namespaceapis.com" \
    --attribute-mapping="google.subject=assertion.tenant_id"

Allow external workloads to impersonate the service account

To allow external identities to impersonate a service account, you grant them the Workload Identity User role (roles/iam.workloadIdentityUser) on the service account.

  • Discover your Project’s number. Note, this is different from Project ID:
export PROJECT_NUMBER=$(gcloud projects list \
  --filter="$(gcloud config get-value project)" \
  --format="value(PROJECT_NUMBER)")
 
echo ${PROJECT_NUMBER}
  • Discover your Tenant ID using nsc and jq:
export TENANT_ID=$(nsc workspace describe -o json | jq '.tenant_id' -r)
  • Allow the external identity to impersonate the service account. Remember to set the service account name, project ID and project number.
export SERVICE_ACCOUNT=<NAME>@${PROJECT_ID}.iam.gserviceaccount.com
 
gcloud iam service-accounts add-iam-policy-binding \
    ${SERVICE_ACCOUNT} \
    --project="${PROJECT_ID}" \
    --role="roles/iam.workloadIdentityUser" \
    --member="principal://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_ID}/subject/${TENANT_ID}"

Obtaining GCP credentials from a Namespace workload

To obtain GCP credentials, run:

nsc gcp impersonate --service_account $SERVICE_ACCOUNT \
	--workload_identity_provider /projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL_ID}/providers/${PROVIDER_ID}

The command above will print GCP credentials in JSON format. You can also write it into a file by adding --write_creds=<FILE> flag.