Ops Showcase Presentation: New `identity` .gitlab-ci.yml keyword for transparent Google Cloud authentication through WLIF
✨ Summary of the issue
As part of the GitLab + Google Cloud integration initiative, a new identity
CI job keyword has been added to provide transparent authentication in a CI job to a Google Cloud project. This is achieved through Google Cloud Workload Identity Federation and a new GitLab service called glgo
(a proxy for requesting Google's STS tokens derived from GitLab's id_token
JWT).
🔑 Relevant Details
- Implementation issue: gitlab-org/gitlab#438420 (closed)
- Video link (2 minutes): https://youtu.be/7TzOI6Ovvg0
- Example CI job: https://gitlab.com/gitlab-org/ci-cd/package-stage/feature-testing/google-artifact-registry/-/jobs/6139184323
- Demo project: https://gitlab.com/gitlab-org/ci-cd/package-stage/feature-testing/google-artifact-registry
- Design document: https://gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/design-doc/-/tree/master
Screenshots
item | screenshot |
---|---|
WLIF pool provider section in Google Cloud console | |
Google Cloud IAM project integration |
❓ Questions
NOTE: Using the format noted below, each question should be threaded. Answers can be placed as subpoints under each threaded question, tagging the original team member who asked the question
{Insert Question} - {tag presenter username}