I am trying to run terraform from a Gitlab pipeline job against my Google Cloud instance. I have authenticated Gitlab to Google Cloud with Federated Id and can impersonate a service account connected to my authenticated workload identity pool. This allows me to run gcloud cli commands without an issue.
However, when running terraform, it expects to use the Application Default Credentials or Google Application Credentials. I am impersonating a service account in a way that does not load it into these stored system credentials.
Is there a way to set the GOOGLE_APPLICATION_CREDENTIALS as the impersonated credentials?
I have tried to download the credential configuration file and load that into the system credentials, but it gives me an error. I do not know the expected value of the OIDC ID token path. error: oauth2/google: unable to generate access token: Post "/[MASKED]:generateAccessToken": oauth2/google/externalaccount: failed to open credential file "/tmp/oidc-token.txt"
Here is my .gitlab-ci.yml:
deploy:
stage: deploy
image: google/cloud-sdk:latest
identity: google_cloud
variables:
# $GCLOUD_SERVICE_ACCOUNT defined in group
# $GCLOUD_CREDENTIAL_CONFIGURATION defined in group
script:
# install terraform
- apt update && apt install -y wget gpg lsb-base lsb-release
- wget -O - | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
- echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
- apt update && apt install terraform
# impersonate gcloud service account
- gcloud config set auth/impersonate_service_account $GCLOUD_SERVICE_ACCOUNT
- gcloud storage ls gs://my-bucket # works fine
# try to run terraform against google cloud
- export GOOGLE_APPLICATION_CREDENTIALS=$GCLOUD_CREDENTIAL_CONFIGURATION # gives error shown above
- terraform -chdir=infra init -input=false
- terraform -chdir=infra plan -out=tfplan -input=false # permission failure due to wrong account
It's unclear to me if giving the necessary permissions directly to my federated identity principal would provide them at the application default level and allow terraform to function, but I would really prefer permissions be granted at the service account level because I feel like that's easier to manage long term.
I am trying to run terraform from a Gitlab pipeline job against my Google Cloud instance. I have authenticated Gitlab to Google Cloud with Federated Id and can impersonate a service account connected to my authenticated workload identity pool. This allows me to run gcloud cli commands without an issue.
However, when running terraform, it expects to use the Application Default Credentials or Google Application Credentials. I am impersonating a service account in a way that does not load it into these stored system credentials.
Is there a way to set the GOOGLE_APPLICATION_CREDENTIALS as the impersonated credentials?
I have tried to download the credential configuration file and load that into the system credentials, but it gives me an error. I do not know the expected value of the OIDC ID token path. error: oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis/v1/projects/-/serviceAccounts/[MASKED]:generateAccessToken": oauth2/google/externalaccount: failed to open credential file "/tmp/oidc-token.txt"
Here is my .gitlab-ci.yml:
deploy:
stage: deploy
image: google/cloud-sdk:latest
identity: google_cloud
variables:
# $GCLOUD_SERVICE_ACCOUNT defined in group
# $GCLOUD_CREDENTIAL_CONFIGURATION defined in group
script:
# install terraform
- apt update && apt install -y wget gpg lsb-base lsb-release
- wget -O - https://apt.releases.hashicorp/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
- echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
- apt update && apt install terraform
# impersonate gcloud service account
- gcloud config set auth/impersonate_service_account $GCLOUD_SERVICE_ACCOUNT
- gcloud storage ls gs://my-bucket # works fine
# try to run terraform against google cloud
- export GOOGLE_APPLICATION_CREDENTIALS=$GCLOUD_CREDENTIAL_CONFIGURATION # gives error shown above
- terraform -chdir=infra init -input=false
- terraform -chdir=infra plan -out=tfplan -input=false # permission failure due to wrong account
It's unclear to me if giving the necessary permissions directly to my federated identity principal would provide them at the application default level and allow terraform to function, but I would really prefer permissions be granted at the service account level because I feel like that's easier to manage long term.
Share Improve this question asked yesterday Galen HowlettGalen Howlett 7226 silver badges15 bronze badges1 Answer
Reset to default 0It does indeed seem like adding the IAM roles directly to the federated id principalSet will give the permissions necessary to the application default credentials. This doesn't really answer the question and provide a way to use the service user account to run terraform but it works.