Gitlab and Workload Identity Federation on Google Cloud

Christoph Grotz
Google Cloud - Community
2 min readSep 21, 2022

Update 2023–06–02: CI_JOB_JWT_V2 was deprecated in GitLab 15.9 and is scheduled to be removed in GitLab 16.5. I updated this blog post to use ID tokens instead. A nice highlight is, that now the default audience from Workload Identity Federation can be used.

You can easily use Workload Identity Federation to securely consume Google Cloud APIs from your Gitlab CI pipeline, for example for pushing a Docker container image to Artifact Registry.

Photo by Denise Jans on Unsplash

You will need to have IAM APIs enabled. Start with creating a Workload Identity pool for Gitlab first.

gcloud iam workload-identity-pools create gitlab \
--location="global" \
--display-name="Gitlab"

Next we need to configure the Gitlab provider for the pool.

gcloud iam workload-identity-pools providers create-oidc gitlab \
--location="global" \
--workload-identity-pool="gitlab" \
--issuer-uri="https://gitlab.com" \
--attribute-mapping="google.subject=assertion.sub"

Then we create a service account and grant the Gitlab repo access to the Service Account. You will need to replace PROJECT_NUMBER and the Gitlab project path, that takes the form of project_path:GROUP/REPO:ref_type:branch:ref:main

gcloud iam service-accounts create gitlab-pipeline
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \
--role=roles/iam.workloadIdentityUser --member=principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/gitlab/subject/GITLAB_PROJECT_PATH

In your pipeline you can then use a credentials file for authentication against APIs, this is for example support by many client libraries, the gcloud CLI, or Terraform. Make sure to replace PROJECT_NUMBER, PROJECT_ID, POOL_ID, PROVIDER_ID and SERVICE_ACCOUNT_EMAIL with the correct values.

stages: 
- verify
example:
image: "google/cloud-sdk:slim"
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
script:
- |
echo "$GITLAB_OIDC_TOKEN" > token.txt
gcloud iam workload-identity-pools create-cred-config \
projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \
--service-account=SERVICE_ACCOUNT_EMAIL \
--service-account-token-lifetime-seconds=600 \
--output-file=$CI_PROJECT_DIR/credentials.json \
--credential-source-file=token.txt
- "export GOOGLE_APPLICATION_CREDENTIALS=$CI_PROJECT_DIR/credentials.json"
- "gcloud auth login --cred-file=$CI_PROJECT_DIR/credentials.json"
- "gcloud auth print-access-token"
stage: verify

That’s all. No more exporting Service Account Keys, no fiddling around with cURL to manually call the IAM APIs. All you need is gcloud SDK the swiss army knife of interacting with Google Cloud APIs.

Thank you Ludovico for the simplified token loading!

--

--

Google Cloud - Community
Google Cloud - Community

Published in Google Cloud - Community

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Christoph Grotz
Christoph Grotz

Written by Christoph Grotz

I’m a technology enthusiast and focusing on Digital Transformation, Internet of Things and Cloud.

No responses yet