May 25, 2024

[ad_1]

Please observe the next parameters within the picture:

protoPayload.authenticationInfo.principalSubject: The topic of the federated token. i.e. principal://iam.googleapis.com/tasks/987654321/places/world/workloadIdentityPools/GitHub-action-pool/topic/repo:sec-mik/application-repo:ref:refs/heads/foremost

metadata.identityDelegateChain: The service account for which short-lived credentials are generated, reminiscent of example-app-sa@production-secmik.iam.gserviceaccount.com

Seek advice from log examples for extra particulars.

Abstract

To summarize, we noticed how a GitHub repository was mapped as a principal to authenticate with Google Cloud utilizing a GitHub OIDC token, which was subsequently exchanged for Google Cloud credentials. As soon as authenticated, the IAM bindings for the corresponding service account carried out authorization checks and was granted entry accordingly.

Situation 2

Goal: Exhibit how two Terraform Cloud workspaces can use two separate however corresponding service accounts for provisioning. 

On this situation, we’ll discover one other well-liked device within the IaC house that’s generally used as an orchestrator, Hashicorp Terraform Cloud and see how workload identification federation can be utilized in a similar way. 

Under is an outline of what we’ll reveal.

Mappings (GitHub repo → Terraform Cloud Workspace → Google Cloud Service Account → Google Cloud challenge )

[ad_2]

Source link