With this Terraform module you can allow login via Google Cloud Workload Identity Pool and Provider for Google Cloud service accounts. Works best together with the Terraform modules for GitHub Actions and GitLab CI.
Service account keys are a security risk if compromised. Avoid service account keys and instead use the Workload Identity Federation. For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo Cyclenerd/google-workload-identity-federation.
Create Workload Identity Pool and Provider:
# Create Workload Identity Pool Provider for GitHub
module "github-wif" {
source = "Cyclenerd/wif-github/google"
version = "~> 1.0.0"
project_id = "your-project-id"
}
# Get the Workload Identity Pool Provider resource name for GitHub Actions configuration
output "github-workload-identity-provider" {
description = "The Workload Identity Provider resource name"
value = module.github-wif.provider_name
}Terraform module
Cyclenerd/wif-github/googleis used.
Allow service account to login via Workload Identity Provider and limit login only from the GitHub repo octo-org/octo-repo:
# Get existing service account for GitHub Actions
data "google_service_account" "github" {
project = "your-project-id"
account_id = "existing-account-for-github-action"
}
# Allow service account to login via WIF
module "github-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "~> 1.0.0"
project_id = "your-project-id"
pool_name = module.github-wif.pool_name
account_id = data.google_service_account.github.account_id
repository = "octo-org/octo-repo"
}You can secure it even more by using the subject (attribute.sub).
This example checks the subject and only allows login from the prod environment:
# Allow service account to login via WIF
module "github-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "~> 1.0.0"
project_id = "your-project-id"
pool_name = module.github-wif.pool_name
account_id = data.google_service_account.github.account_id
repository = "octo-org/octo-repo"
subject = "repo:octo-org/octo-repo:environment:prod"
}π More examples
| Name | Version |
|---|---|
| >= 4.61.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id | The account id of the existing service account | string |
n/a | yes |
| pool_name | The resource name of the Workload Identity Pool | string |
n/a | yes |
| project_id | The ID of the project | string |
n/a | yes |
| repository | Repository patch (i.e. 'Cyclenerd/google-workload-identity-federation') | string |
n/a | yes |
| subject | Subject (i.e. 'repo:username/reponame:ref:refs/heads/main') | string |
null |
no |
No outputs.
All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.