Enabling Cross-Project Resource Access with GCP IAM Workload Identity Pools
PythonTo enable cross-project resource access using GCP (Google Cloud Platform) IAM Workload Identity Pools, you'll need to set up resources that define how external identities (like identities from other GCP projects or even other clouds) can assume GCP IAM roles and access GCP resources.
Below is a step-by-step guide to creating a Workload Identity Pool and a Workload Identity Pool Provider in Pulumi using the Python programming language. This setup is necessary to enable cross-project resource access.
- Create a Workload Identity Pool: This is a container for workload identities from an external source (like another GCP project, AWS account, or any OIDC provider).
- Create a Workload Identity Pool Provider: This is configured within the pool to apply specific access rules for the identity provider and how it maps to GCP IAM roles.
Let's walk through what each part of this setup looks like in Pulumi using Python.
Firstly, you will need to have Pulumi and the GCP Pulumi provider installed and configured with the credentials set up to communicate with your GCP account. Make sure to have these prerequisites in place before executing the below program.
import pulumi import pulumi_gcp as gcp # Define the Workload Identity Pool # Replace `project_id` and `pool_id` with your GCP project ID and desired Identity Pool ID respectively. identity_pool = gcp.iam.WorkloadIdentityPool("my-workload-identity-pool", project=project_id, workload_identity_pool_id=pool_id, description="My Workload Identity Pool", disabled=False, displayName="My Pool" ) # Define the Workload Identity Pool Provider # In this example, we create an OIDC provider with an issuer URL and attribute mapping. Replace `issuer_url` with the issuer URL of your OIDC provider. identity_pool_provider = gcp.iam.WorkloadIdentityPoolProvider("my-workload-identity-pool-provider", project=project_id, workload_identity_pool_id=identity_pool.workload_identity_pool_id, workload_identity_pool_provider_id=provider_id, # Replace with your desired provider ID display_name="My Provider", oidc=gcp.iam.WorkloadIdentityPoolProviderOidcArgs( issuer_uri=issuer_url, allowed_audiences=["my-audience"], # Example audience; replace with your allowed audience(s) ), attribute_mapping={ "google.subject": "assertion.sub", # Additional attribute mappings are possible to map your identity provider's claims to Google Cloud attributes. } ) # Outputs pulumi.export("identity_pool_id", identity_pool.workload_identity_pool_id) pulumi.export("identity_pool_provider_name", identity_pool_provider.name)In this program:
pulumi_gcp.iam.WorkloadIdentityPoolcreates a new Workload Identity Pool within the specified GCP project.pulumi_gcp.iam.WorkloadIdentityPoolProvidersets up a provider within the pool, which can be configured for an external identity provider, such as AWS or an OIDC provider.
The
attribute_mappingspecifies how claims from the external identity provider map to Google Cloud IAM attributes.The
allowed_audiencesfield within the OIDC provider configuration should contain an audience that is expected in the OIDC token. This ensures that only tokens intended for your application/service will be considered valid.When you have this program written, you can deploy it with Pulumi. As your application authenticates with the external identity provider, you can use the mapped identities to assume roles in the GCP project and access resources, achieving cross-project resource access. Note that you will also need to set IAM policies that grant the appropriate roles to the identities in the Workload Identity Pool.
For more detailed instructions on implementing Workload Identity Pools, you can refer to the Pulumi GCP IAM Workload Identity Pool documentation and for Workload Identity Pool providers, you would find the official documentation helpful.