OIDC With Google Cloud Platform
How to authenticate the env0 runner using GCP and OIDC
This guide is to help you connect to GCP with OIDC, instead of using static credentials.
Overview
This guide will show you how to create a GCP Workload Identity Federation Provider, and attach it to a Service Account to generate temporary credentials by accepting env0's OIDC token. Refer to env0's OIDC configuration.
Workload Identity Federation Pool and Provider
- Login to your GCP account and select the relevant project.
- In the left-hand side menu select
IAM & Admin
- Click on the
Create Pool
button - Enter a name and description, make sure the
Enabled Pool
is selected and click on theContinue
button.

Identity Pool
- In
Select a provider
selection choose OIDC, add a Provider name, enter a Proivder ID - In the
Issuer (URL)
section enterhttps://login.app.env0.com/
- In the
Audiences
SelectAllowed audiences
and enterhttps://prod.env0.com
and click on the continue button.

Identity Provider
- In the
Configure provider attributes
under theOIDC 1
enterassertion.sub
- Click on the
Save
button

Attribute Mapping
Adding Custom Claims
If you like to add more Custom Claims, for example, I would like to add the organization id claim I would click on the
Add Mapping
button and addattribute.org_id
in the Google text box, and in the OIDC I would addassertion.organizationId
, and repeat step 14 with the organization id.Read more about Custom Claims here
- Follow this guide to get you
sub
value - In the Identity pool you've just created click on the
Grant Access
button - In the
Service account
select the relevant service account you would like to associate the identity pool with. Make sure this service account has the relevant access to what your code needs in order to create those resources - Select the
Only identities matching the filter
radio button and in theAttribute name
selectsubject
and in theAttribure value
enter the value of yoursub
you got from the previous steps, and click on theSave
button

Grant Access to Service Account
- In the
Configure your application
modal select the env0 provider you have created, select a file name in theOIDC ID token path
text box (for exampleenv0-oidc-token.txt
), and in theFormat type
selecttext
and click on theDownload Config
button - This will download a JSON configuration file that we will need during your deployment in env0, and doesn't contain any sensitive data on it:
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/XXXXXXXXXXXX/locations/global/workloadIdentityPools/env0-identity-pool/providers/env0oidc",
"subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
"token_url": "https://sts.googleapis.com/v1/token",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken",
"credential_source": {
"file": "env0-oidc-token.txt",
"format": {
"type": "text"
}
}
}
Configure Your Terraform Provider
- During the deployment phase we need to have a file with the OIDC token, and in order to achieve that we will need to add a custom flow. Here is an example of an
env0.yml
file:
version: 2
deploy:
steps:
setupVariables:
after:
- name: Set OIDC Token For GCP
run: echo $ENV0_OIDC_TOKEN > env0-oidc-token.txt
destroy:
steps:
setupVariables:
after:
- name: Set OIDC Token For GCP
run: echo $ENV0_OIDC_TOKEN > env0-oidc-token.txt
- The JSON configuration file you have downloaded needs to be present during the deployment, so you should either commit this JSON file into your git repository or use a custom flow file to write it during the deployment
- In your Terraform code, you should configure your Google Provider to authenticate according to the JSON configuration file name you have downloaded:
provider "google" {
credentials = file("env0-config.json")
project = "You Project Name"
}
Updated 8 months ago