NashTech Blog

Get in touch

Authenticate Terraform With GCP Through GitLab CI – WIDF

Picture of Abhishek Tiwari
Abhishek Tiwari
Table of Contents



Authenticating Terraform with Google Cloud Platform (GCP) in GitLab CI/CD can be streamlined by leveraging Workload Identity Federation (WIDF) and Service Account Impersonation. This approach eliminates the need for storing long-lived service account keys, improving security and compliance.

In this blog, we will guide you through the steps to set up Terraform authentication with GCP using WIDF and service account impersonation in GitLab CI/CD.

Prerequisites

Before we begin, ensure the following:

  1. A Google Cloud Platform (GCP) project with billing enabled.
  2. The Google Cloud SDK installed on your local machine for setting up initial configurations.
  3. Admin access to both GCP and GitLab.

Overview of Steps

  1. Enable Workload Identity Federation in GCP.
  2. Create a Service Account in GCP with required roles.
  3. Set up a Workload Identity Pool and Provider.
  4. Configure the Terraform provider.
  5. Implement the GitLab CI/CD pipeline.

Step 1: Enable Workload Identity Federation in GCP

  1. In the GCP Console, navigate to IAM & Admin > Workload Identity Federation.
  2. Create a new Workload Identity Pool.
    • Name: gitlab-widf-pool
    • Pool ID: gitlab-pool
    • Description: “Workload Identity Pool for GitLab CI/CD.”

Step 2: Create a Service Account in GCP

  1. In the GCP Console, go to IAM & Admin > Service Accounts.
  2. Create a Service Account:
    • Name: terraform-sa
    • Email: terraform-sa@<project-id>.iam.gserviceaccount.com
  3. Grant necessary roles to the service account, e.g.,:
    • roles/owner (for testing only).
    • roles/WorkloadIdentityUser.
  4. Allow impersonation of this service account by the Workload Identity Pool:

    Goto – Service Accounts > Grant Permission

    In Principal addprincipalSet://iam.googleapis.com/projects/PROJECT_ID/locations/global/workloadIdentityPools/POOL_ID/*
    In roles add – WorkloadIdentityUser and ServiceAccountTokenCreator.
    Click save.

Step 3: Set Up Workload Identity Provider for GitLab

  1. In the GCP Console, go to IAM & Admin > Workload Identity Federation.
  2. Select the Workload Identity Pool created earlier (gitlab-widf-pool).
  3. Click on Add Provider and fill in the details:
    • Provider Type: OIDC.
    • Provider Name: gitlab-provider.
    • Issuer URL: https://gitlab.com.
  4. Under Attribute Mapping, configure:
    • google.subject mapped to assertion.sub.
    • attribute.namespace_id mapped to assertion.namespace_id
  5. Under Access Control, specify conditions to restrict access, e.g.,
    • Condition: assertion.namespace_id==’GITLAB_GROUP_ID’.
  6. Click Add Provider to finalize.

Step4: Configure Terraform Provider

Update your main.tf file to use the GCP provider and configure it for impersonation:

provider “google” {
project = var.project_id # Replace with your GCP project ID
impersonate_service_account = “service_account_email”
}

Step 5: Implement GitLab CI/CD Pipeline



Thats it !! Run this pipeline to create GCP resources using terraform with no use of long lived keys.

For more information on GCP WIDF visit GCP official documentation.

Picture of Abhishek Tiwari

Abhishek Tiwari

Leave a Comment

Suggested Article

Discover more from NashTech Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading