Ability to set up workload identity with the workload identity pool

[jacek-jablonski]

Hi,
it seems it is currently not possible to set up workload identity with workload identity pool. I am trying to do it like that:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: wip
  annotations:
    cnrm.cloud.google.com/project-id: xxx
spec:
  member: principalSet://iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/github-actions-identity-pool/attribute.repository_owner/xxx
  role: roles/iam.workloadIdentityUser
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: [email protected]

Unfortunately it doesn't validate, error shows:

spec.member in body should match '^(user|serviceAccount|group|domain|projectEditor|projectOwner|projectViewer):.+|allUsers|allAuthenticatedUsers$

Am I missing something, or this is not yet supported?

[toumorokoshi]

Hi! Thanks for the issue.

I've verified that this is probably some overly aggressive verification on our part. I believe the right choice is to simplify remove such checks from Config Connector and allow arbitrary strings, but I'll discuss within the team and follow up.

Noted that this is blocking the usage of workload identity pools in Config Connector.

[toumorokoshi]

Hi! I'm looking into this and it's easy enough to remove the format restrictions - but one concern raised was whether this would indeed allow you to set a principalSet in that fashion.

Would you mind pointing to some documentation or clarifying if you've tried this binding via API / some other medium and you've verified that will work?

[jacek-jablonski]

Hi!
I was following this guide mainly: https://github.com/google-github-actions/auth#setting-up-workload-identity-federation (especially point 8).
Also, this might be helpful: https://cloud.google.com/iam/docs/workload-identity-federation#impersonation

Thanks.

[toumorokoshi]

Thank you! that's helpful. I'm looking at a fix to remove the validation, I'll update once I have a clear ETA on a release (probably the first release of the new year in the first couple weeks of January).

[toumorokoshi]

Hello! a fix was merged in. You should see this fix in the next release, likely first or second week of Jan.

[jacek-jablonski]

Thank you!

[taisph]

I am getting this exact error in GKE right now. Regression?

spec.member: Invalid value: "principalSet://iam.googleapis.com/projects/1234567890/locations/global/workloadIdentityPools/some-id/attribute.repository_owner/some-owner": spec.member in body should match '^(user|serviceAccount|group|domain|projectEditor|projectOwner|projectViewer):.+|allUsers|allAuthenticatedUsers$'.

[diviner524]

@taisph This issue was fixed more than a year ago. If you are still seeing the error, it is possible you are using a very old version of Config Connector.

Are you using Config Connector through GKE Add-on? You can check the version of Config Connector first:

https://cloud.google.com/config-connector/docs/troubleshooting#check_the_version_of

[taisph]

@taisph This issue was fixed more than a year ago. If you are still seeing the error, it is possible you are using a very old version of Config Connector.

Are you using Config Connector through GKE Add-on? You can check the version of Config Connector first:

https://cloud.google.com/config-connector/docs/troubleshooting#check_the_version_of

I finally got some time to revisit this and it seems to work now. Yes, we are using the add-on. We're currently on v1.82. Don't know what version it was on when we last tried it but it must have been before v1.70 if I'm reading the release notes correctly.

Thanks for the help.