Replace curl with gcloud commands in IAM integration
From the proposal in &13197, and as exemplified in the design in #454343[IAM--Configure--All.png], this issue is to replace the existing curl
command with gcloud
commands in the Google Identity & Access Management (IAM) integration.
Proposal
Adapted from https://docs.gitlab.com/ee/integration/google_cloud_iam.html:
gcloud iam workload-identity-pools create <your_identity_pool_id> \
--project="<your_google_cloud_project_id>" \
--location="global" \
--display-name="Workload identity pool for GitLab project ID"
The placeholders are replaced with the right values:
-
<your_google_cloud_project_id>
with the value in the form field “Project ID”, in the IAM integration. -
<your_identity_pool_id>
with the value in the form field “Pool ID”, in the IAM integration. It must be 4 to 32 lowercase letters, digits, or hyphens. To avoid collisions, use a unique ID. It is recommended to include the GitLab project ID or project path as it facilitates IAM policy management.
gcloud iam workload-identity-pools providers create-oidc "<your_identity_provider_id>" \
--location="global" \
--project="<your_google_cloud_project_id>" \
--workload-identity-pool="<your_identity_pool_id>" \
--issuer-uri="<your_issuer_uri>" \
--display-name="GitLab OIDC provider" \
--attribute-mapping="attribute.guest_access=assertion.guest_access,\
attribute.reporter_access=assertion.reporter_access,\
attribute.developer_access=assertion.developer_access,\
attribute.maintainer_access=assertion.maintainer_access,\
attribute.owner_access=assertion.owner_access,\
attribute.namespace_id=assertion.namespace_id,\
attribute.namespace_path=assertion.namespace_path,\
attribute.project_id=assertion.project_id,\
attribute.project_path=assertion.project_path,\
attribute.user_id=assertion.user_id,\
attribute.user_login=assertion.user_login,\
attribute.user_email=assertion.user_email,\
attribute.user_access_level=assertion.user_access_level,\
google.subject=assertion.sub"
The placeholders are replaced with the right values:
-
<your_identity_provider_id>
with the value in the form field “provider ID”. It must be 4 to 32 lowercase letters, digits, or hyphens. To avoid collisions, use a unique ID within the identity pool. For example, gitlab. -
<your_google_cloud_project_id>
with the value in the form field “Project ID” -
<your_identity_pool_id>
with the ID of the workload identity pool you created in the previous step. -
<your_issuer_uri>
with your identity provider issuer URI, which can be can be copied from the IAM integration page when choosing manual setup and must exactly match the value. The parameter must include the path of the root group. - The attribute-mapping parameter must include the mapping between OIDC custom claims included in the JWT ID token to the corresponding identity attributes that are used in Identity and Access Management (IAM) policies to grant access.