Gitlab and Workload Identity Federation on Google Cloud
Update 2023–06–02: CI_JOB_JWT_V2
was deprecated in GitLab 15.9 and is scheduled to be removed in GitLab 16.5. I updated this blog post to use ID tokens instead. A nice highlight is, that now the default audience from Workload Identity Federation can be used.
You can easily use Workload Identity Federation to securely consume Google Cloud APIs from your Gitlab CI pipeline, for example for pushing a Docker container image to Artifact Registry.
You will need to have IAM APIs enabled. Start with creating a Workload Identity pool for Gitlab first.
gcloud iam workload-identity-pools create gitlab \
--location="global" \
--display-name="Gitlab"
Next we need to configure the Gitlab provider for the pool.
gcloud iam workload-identity-pools providers create-oidc gitlab \
--location="global" \
--workload-identity-pool="gitlab" \
--issuer-uri="https://gitlab.com" \
--attribute-mapping="google.subject=assertion.sub"
Then we create a service account and grant the Gitlab repo access to the Service Account. You will need to replace PROJECT_NUMBER
and the Gitlab project path, that takes the form of project_path:GROUP/REPO:ref_type:branch:ref:main
gcloud iam service-accounts create gitlab-pipeline
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
--role=roles/iam.workloadIdentityUser --member=principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/gitlab/subject/GITLAB_PROJECT_PATH
In your pipeline you can then use a credentials file for authentication against APIs, this is for example support by many client libraries, the gcloud CLI, or Terraform. Make sure to replace PROJECT_NUMBER
, PROJECT_ID
, POOL_ID
, PROVIDER_ID
and SERVICE_ACCOUNT_EMAIL
with the correct values.
stages:
- verify
example:
image: "google/cloud-sdk:slim"
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
script:
- |
echo "$GITLAB_OIDC_TOKEN" > token.txt
gcloud iam workload-identity-pools create-cred-config \
projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
--service-account=SERVICE_ACCOUNT_EMAIL \
--service-account-token-lifetime-seconds=600 \
--output-file=$CI_PROJECT_DIR/credentials.json \
--credential-source-file=token.txt
- "export GOOGLE_APPLICATION_CREDENTIALS=$CI_PROJECT_DIR/credentials.json"
- "gcloud auth login --cred-file=$CI_PROJECT_DIR/credentials.json"
- "gcloud auth print-access-token"
stage: verify
That’s all. No more exporting Service Account Keys, no fiddling around with cURL to manually call the IAM APIs. All you need is gcloud SDK the swiss army knife of interacting with Google Cloud APIs.
Thank you Ludovico for the simplified token loading!