OIDC With Google Cloud Platform

How to authenticate the env0 runner using GCP and OIDC

This guide is to help you connect to GCP with OIDC, instead of using static credentials.

Overview

This guide will show you how to create a GCP Workload Identity Federation Provider, and attach it to a Service Account to generate temporary credentials by accepting env0's OIDC token. Refer to env0's OIDC configuration.

Workload Identity Federation Pool and Provider

  1. Login to your GCP account and select the relevant project.
  2. In the left-hand side menu select IAM & Admin
  3. Click on the Create Pool button
  4. Enter a name and description, make sure the Enabled Pool is selected and click on the Continue button.
Identity Pool

Identity Pool

  1. In Select a provider selection choose OIDC, add a Provider name, enter a Proivder ID
  2. In the Issuer (URL) section enter https://login.app.env0.com/
  3. In the Audiences Select Allowed audiences and enter https://prod.env0.com and click on the continue button.
Identity Provider

Identity Provider

  1. In the Configure provider attributes under the OIDC 1 enter assertion.sub
  2. Click on the Save button
Attribute Mapping

Attribute Mapping

📘

Adding Custom Claims

If you like to add more Custom Claims, for example, I would like to add the organization id claim I would click on the Add Mapping button and add attribute.org_id in the Google text box, and in the OIDC I would add assertion.organizationId, and repeat step 14 with the organization id.

Read more about Custom Claims here

  1. Follow this guide to get you sub value
  2. In the Identity pool you've just created click on the Grant Access button
  3. In the Service account select the relevant service account you would like to associate the identity pool with. Make sure this service account has the relevant access to what your code needs in order to create those resources
  4. Select the Only identities matching the filter radio button and in the Attribute name select subject and in the Attribure value enter the value of your sub you got from the previous steps, and click on the Save button
Grant Access to Service Account

Grant Access to Service Account

  1. In the Configure your application modal select the env0 provider you have created, select a file name in the OIDC ID token path text box (for example env0-oidc-token.txt), and in the Format type select text and click on the Download Config button
  2. This will download a JSON configuration file that we will need during your deployment in env0, and doesn't contain any sensitive data on it:
{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/XXXXXXXXXXXX/locations/global/workloadIdentityPools/env0-identity-pool/providers/env0oidc",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "token_url": "https://sts.googleapis.com/v1/token",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
  "credential_source": {
    "file": "env0-oidc-token.txt",
    "format": {
      "type": "text"
    }
  }
}

Configure Your Terraform Provider

  1. During the deployment phase we need to have a file with the OIDC token, and in order to achieve that we will need to add a custom flow. Here is an example of an env0.yml file:
version: 2
deploy:
  steps:
    setupVariables:
      after:
        - name: Set OIDC Token For GCP
          run: echo $ENV0_OIDC_TOKEN > env0-oidc-token.txt
destroy:
  steps:
    setupVariables:
      after:
        - name: Set OIDC Token For GCP
          run: echo $ENV0_OIDC_TOKEN > env0-oidc-token.txt
  1. The JSON configuration file you have downloaded needs to be present during the deployment, so you should either commit this JSON file into your git repository or use a custom flow file to write it during the deployment
  2. In your Terraform code, you should configure your Google Provider to authenticate according to the JSON configuration file name you have downloaded:
provider "google" {
  credentials = file("env0-config.json")

  project = "You Project Name"
}