Secure Multi-Cloud Identity Federation with GCP Workload Identity Pool

Question

Pulumi · Accepted Answer

Creating a secure multi-cloud identity federation using GCP's Workload Identity Pool entails setting up a centralized system that allows workloads running on different clouds or on-premises to assume Google Cloud identities. This enables them to access Google Cloud resources without the need to manage traditional service account keys.

The main components involved are:

- **Workload Identity Pool**: Represents a collection of external identity providers that can be used to grant Google Cloud service accounts identity tokens when a workload provides a credential issued by an external identity provider.

- **Workload Identity Pool Provider**: Configures an external identity provider (like AWS or an OIDC provider) for the pool to federate with Google Cloud.

Here's a program written in Python using Pulumi which demonstrates how to set up a Workload Identity Pool and a Workload Identity Pool Provider.

```python
import pulumi
import pulumi_gcp as gcp

# Create a Workload Identity Pool.
identity_pool = gcp.iam.WorkloadIdentityPool("my-identity-pool",
    # Display name for the identity pool.
    display_name="My Identity Pool",
    # Determines whether the identity pool is disabled; false by default.
    disabled=False,
    # Description of the identity pool.
    description="Identity pool for multi-cloud federation"
)

# Create a Workload Identity Pool Provider for AWS.
# This assumes you already have existing AWS credentials configured which can be federated.
identity_pool_provider = gcp.iam.WorkloadIdentityPoolProvider("my-identity-pool-provider",
    # ID of the Workload Identity Pool in which this provider should be created.
    workload_identity_pool_id=identity_pool.id,
    # Display name for the Workload Identity Pool Provider.
    display_name="My AWS Identity Pool Provider",
    # The AWS account ID of the AWS identity provider to use.
    aws=gcp.iam.WorkloadIdentityPoolProviderAwsArgs(
        account_id="AWS_ACCOUNT_ID"
    ),
    # Description of the Workload Identity Pool Provider.
    description="AWS identity provider for my identity pool"
)

# Export the names of the identity pool and provider.
pulumi.export("identity_pool_name", identity_pool.name)
pulumi.export("identity_pool_provider_name", identity_pool_provider.name)
```

This program sets up the infrastructure for secure identity federation in Google Cloud Platform (GCP). Here's what each section does:

- **Workload Identity Pool**: We create a new identity pool called `my-identity-pool`. The `display_name` property is just a user-friendly name for the pool, while the `description` provides more details. Setting `disabled` to `False` means the pool is active and can provide tokens for authentication.

- **Workload Identity Pool Provider**: The `my-identity-pool-provider` represents the external identity provider we are configuring — in this case, AWS. The `workload_identity_pool_id` ties this provider to the identity pool we created above. The `display_name` and `description` serve similar purposes as in the pool, and `aws` configuration includes the AWS account ID you want to federate with GCP.

At the end of the program, we're using `pulumi.export` to output the names of both resources. This way, we can reference them later if needed.

Remember to replace `AWS_ACCOUNT_ID` with your actual AWS account ID before running this Pulumi program. Once the infrastructure is created, any federated AWS identity can be mapped to a Google Cloud service account, and the credentials obtained from Google Cloud can be used to authenticate to Google Cloud resources.