-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authenticating GCP providers with workload identity federation. #8671
Comments
Have you tried using the creds created by the command ?. I don't have an AWS setup to test it, Please try running the provider with the creds created and let us know the behavior. |
We currently support impersonating service accounts using OAuth 2 tokens. Does this work for your use case? |
The oauth2 module is old.
Correct version is mentioned at https://cloud.google.com/iam/docs/access-resources-aws#generate-automatic |
One caveat is that the JSON file must be set via the GOOGLE_APPLICATION_CREDENTIALS. terraform-provider-google/google/config.go Line 834 in e1e9caf
DefaultTokenSource calls https://pkg.go.dev/golang.org/x/oauth2/google#FindDefaultCredentials which supports Workload Identity Fed. |
@mikhail-khodorovskiy This should be fixed in v3.61 of the provider which should be coming out soon. The dependancy was bumped in #8686 |
v3.61 of the provider has now been released. Please try it out. |
Using version 3.61 still produces the problem:
off
3.62.0 beta provider does not work either. |
I had an error with id of the pool but even if I fixed it, the gcloud command now works but the google_service_account_iam_member does not:
equivalent gcloud command:
|
Looks like somehow the member is called to_lower before submitting to GCP API call where "workloadIdentityPools" needs to stay with case I described. If I try to use gcloud all lower case, I get the same error as Terraform.
workloadIdentityPools can't be lower cased before being submitted to GCP. |
yeah, that is a known issue #7852 . It is being worked on |
@rileykarson We can close this now. Both issues have been fixed. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
If you have a support request or question please submit them to one of these resources:
Is there a way for provider to use
https://pkg.go.dev/golang.org/x/oauth2/google#hdr-Workload_Identity_Federation, specifically using https://cloud.google.com/iam/docs/access-resources-aws when the key was created using
gcloud beta iam workload-identity-pools create-cred-config
projects/project-number/locations/global/workloadIdentityPools/pool-id/providers/provider-id
--service-account=service-account-email
--output-file=filepath
--aws
and
GOOGLE_APPLICATION_CREDENTIALS points to the output file.
References
The text was updated successfully, but these errors were encountered: