Simplify templates/gcp_auth.yaml
Thank you very much for your Terraform module "gcp-oidc"! It really helped me to get my setup up and running!
But one question is bugging me: Why does the template templates/gcp_auth.yaml
use curl and constructs a custom gcp-credentials.json
when it could just use the one you can get by calling gcloud iam workload-identity-pools create-cred-config
?
Do not get me wrong! I don't want to rant, I'm just being curious what I might have miss.
My current Pipeline looks like this:
include:
- template: Terraform/Base.gitlab-ci.yml
- template: Workflows/MergeRequest-Pipelines.gitlab-ci.yml
variables:
TF_STATE_NAME: default
GOOGLE_APPLICATION_CREDENTIALS: credentials.json
GCP_SA: project-service-account@foo-bfc3.iam.gserviceaccount.com
GCP_PROJECT_NUMBER: 2342
GCP_OIDC_POOL_NAME: gitlab-pool-oidc-4223
GCP_OIDC_PROVIDER_NAME: gitlab-jwt-4223
stages:
- validate
- test
- auth
- build
- deploy
fmt:
extends: .terraform:fmt
validate:
extends: .terraform:validate
build:
extends: .terraform:build
id_tokens:
GCP_TOKEN:
aud: https://gitlab.com
before_script:
- echo ${GCP_TOKEN} > .ci_job_jwt_file
dependencies:
- gcp-auth
deploy:
extends: .terraform:deploy
id_tokens:
GCP_TOKEN:
aud: https://gitlab.com
before_script:
- echo ${GCP_TOKEN} > .ci_job_jwt_file
dependencies:
- gcp-auth
- build
gcp-auth:
image: google/cloud-sdk:alpine
stage: auth
artifacts:
paths:
- credentials.json
script:
- gcloud iam workload-identity-pools create-cred-config projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_OIDC_POOL_NAME}/providers/${GCP_OIDC_PROVIDER_NAME}
--service-account="${GCP_SA}"
--output-file=credentials.json
--credential-source-file=.ci_job_jwt_file
So instead of using the custom tailored steps from templates/gcp_auth.yaml
I'm just calling gcloud iam workload-identity-pools create-cred-config
in a container using image google/cloud-sdk:alpine
.
Looking forward to hearing about what I might have overlooked. Thank you!
Edited by Sven Schliesing