1. Answers
  2. Configuring GCP IAM Workload Identity Pool

How do I configure a GCP IAM workload identity pool?

In this guide, we will configure a Google Cloud IAM Workload Identity Pool using Pulumi. This setup allows you to map external identities to Google Cloud identities, enabling secure authentication and authorization for your workloads.

Key Points:

  • Define a Workload Identity Pool.
  • Configure an OIDC provider within the pool.
  • Map attributes from the external identity provider to Google Cloud.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Create a Workload Identity Pool
const workloadIdentityPool = new gcp.iam.WorkloadIdentityPool("my-workload-identity-pool", {
    workloadIdentityPoolId: "my-wip",
    displayName: "My Workload Identity Pool",
    description: "A pool for managing external identities",
});

// Create an OIDC provider within the Workload Identity Pool
const workloadIdentityPoolProvider = new gcp.iam.WorkloadIdentityPoolProvider("my-workload-identity-pool-provider", {
    workloadIdentityPoolId: workloadIdentityPool.workloadIdentityPoolId,
    workloadIdentityPoolProviderId: "my-oidc-provider",
    displayName: "My OIDC Provider",
    description: "An OIDC provider for my workload identity pool",
    oidc: {
        issuerUri: "https://accounts.google.com",
    },
    attributeMapping: {
        "google.subject": "assertion.sub",
        "attribute.actor": "assertion.actor",
    },
});

// Export the URLs of the created resources
export const workloadIdentityPoolUrl = workloadIdentityPool.name.apply(name => `https://console.cloud.google.com/iam-admin/workload-identity-pools/details/${name}`);
export const workloadIdentityPoolProviderUrl = workloadIdentityPoolProvider.name.apply(name => `https://console.cloud.google.com/iam-admin/workload-identity-pools/details/${workloadIdentityPool.name}/providers/details/${name}`);

Summary:

In this guide, we created a Google Cloud IAM Workload Identity Pool and configured an OIDC provider within it using Pulumi. This setup allows for mapping external identities to Google Cloud identities, enabling secure authentication and authorization for workloads.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up