Automating AI Workload Permissions with GCP IAM Workload Identity Federation
PythonAutomating AI Workload Permissions with Google Cloud's IAM Workload Identity Federation allows resources from other cloud providers, such as AWS or Azure, to access Google Cloud resources without the need for a service account key. Instead, you establish a trust relationship between Google Cloud and the external identity provider. This is achieved by configuring Workload Identity Pools and Providers within Google Cloud IAM.
Here's a rundown of what needs to be done to set this up:
-
Workload Identity Pool: A container for workload identity providers. It represents a collection of identity providers that you can use to grant Google Cloud resources access to external systems and services.
-
Workload Identity Provider: Within the pool, you need to configure providers that describe how to federate with an external system such as AWS, Azure, or any OpenID Connect (OIDC)-compatible identity provider.
-
IAM Policies: Policies to grant the appropriate permissions to the identities in the workforce pool. This allows these federated identities to act as certain service accounts within Google Cloud.
Now, I'll walk you through setting this up using Pulumi with Python:
import pulumi import pulumi_gcp as gcp # Create a Workload Identity Pool identity_pool = gcp.iam.WorkloadIdentityPool("my_identity_pool", display_name="My Identity Pool", description="Identity pool for external workload identities", # It's useful to have 'project' and 'workload_identity_pool_id' here if you want to specify them, # but they are not mandatory arguments. ) # Create a Workload Identity Provider for AWS # You'll need the AWS account ID and it's assumed you have set up the AWS provider with a trust relationship. identity_provider = gcp.iam.WorkloadIdentityPoolProvider("my_identity_provider", workload_identity_pool_id=identity_pool.name, aws=gcp.iam.WorkloadIdentityPoolProviderAwsArgs( account_id="123456789012", ), display_name="My AWS Identity Provider", # 'attribute_mapping' may be used to map AWS role to Google service account ) # Example IAM Role example_role = gcp.iam.Role("example_role", title="My Example Role", description="An example IAM role.", permissions=["storage.objects.get", "storage.objects.list"], ) # IAM policy to allow the Workload Identity Pool Provider to impersonate a Google service account iam_policy = gcp.iam.ServiceAccountIamPolicy("my_service_account_iam_policy", service_account_id=service_account.email, binding=gcp.iam.ServiceAccountIamPolicyBindingArgs( role=example_role.name, members=[identity_provider.id.apply(lambda id: f"principalSet://iam.googleapis.com/{id}")] ), ) # A Google Cloud Service account to associate with the Workload Identity Provider service_account = gcp.serviceaccount.Account("my_service_account", account_id="my-service-account", display_name="My Service Account", ) # The output URL endpoint where external identities can request access tokens identity_pool_provider_url = pulumi.Output.concat( "https://iam.googleapis.com/v1/projects/", identity_pool.project, "/locations/global/workloadIdentityPools/", identity_pool.name, "/providers/", identity_provider.name ) # Exporting the URL endpoint pulumi.export('identity_pool_provider_url', identity_pool_provider_url)
In this program, we create a Workload Identity Pool (
my_identity_pool
) and an associated Workload Identity Provider (my_identity_provider
) for AWS. Note that the AWS account ID is hypothetical and you'd need to replace it with the actual ID of your AWS account. We then define an IAM Role (example_role
) with specific storage permissions, and a service account (my_service_account
) to demonstrate how to provide access to Google Cloud resources.The
ServiceAccountIamPolicy
(my_service_account_iam_policy
) is a binding that allows the Workload Identity Provider to impersonate the defined service account, effectively granting it the defined IAM role's permissions.Finally, we output (
identity_pool_provider_url
) the URL endpoint where external identities can request access tokens - they can use this URL to initiate the federation and authentication process.-