Please observe the next parameters within the picture:
protoPayload.authenticationInfo.principalSubject: The topic of the federated token. i.e. principal://iam.googleapis.com/tasks/987654321/places/world/workloadIdentityPools/GitHub-action-pool/topic/repo:sec-mik/application-repo:ref:refs/heads/foremost
metadata.identityDelegateChain: The service account for which short-lived credentials are generated, reminiscent of example-app-sa@production-secmik.iam.gserviceaccount.com
Seek advice from log examples for extra particulars.
Abstract
To summarize, we noticed how a GitHub repository was mapped as a principal to authenticate with Google Cloud utilizing a GitHub OIDC token, which was subsequently exchanged for Google Cloud credentials. As soon as authenticated, the IAM bindings for the corresponding service account carried out authorization checks and was granted entry accordingly.
Situation 2
Goal: Exhibit how two Terraform Cloud workspaces can use two separate however corresponding service accounts for provisioning.
On this situation, we’ll discover one other well-liked device within the IaC house that’s generally used as an orchestrator, Hashicorp Terraform Cloud and see how workload identification federation can be utilized in a similar way.
Under is an outline of what we’ll reveal.
Mappings (GitHub repo → Terraform Cloud Workspace → Google Cloud Service Account → Google Cloud challenge )
