Closed bravous closed 1 year ago
Hi @bravous, thanks for the issue! I've raised this with the team so it can be prioritized and added to our work stack.
Hi @roothorp , after creating everything again from scratch (could not believe it would not work), it worked so I think i messed something up somewhere. Thanks for taking a look, you can close this issue. Maybe change it in updating documentation to basically promote identity federation as best practice ;-)
Hello. Is this implemented in pulumi Cloud pipelines?
Hello!
Issue details
Currently when running pulumi (gcp) in an automated pipeline we need to provide a downloaded JSON key via the
GOOGLE_CREDENTIALS
environment variable. This is not a best practice. It is better to use Workload Identity Federation, this will make sure no (long lived) keys are downloaded but short lived tokens are generated for authentication.Service account keys could pose a security risk if compromised. Therefor it is recommended to avoid downloading service account keys and instead use the Workload Identity Federation. More can be found here on the best way to authenticate service accounts on Google Cloud here.
An example
bitbucket-pipeline.yaml
using OIDC and Workload Identity Federation would look like this:The
credential-config.json
file provides the hints on how to get the token to the google client libraries . And theoidc = true
makes sure bitbucket generates an OIDC token to use in the OIDC flow.Currently when we run this pipeline we get permission denied errors, it looks like it tries to use the
credential-config.json
file as a real/regular JSON key to authenticate and does not follow the OIDC flow using the information.The errors we see in the log file look as follow:
When we replace the config file with a real JSON key it works. So it looks like the underlying library used for authentication is not able to utilize workload identity flow.
Affected area/feature
Don't really know but it looks like it should be part of the underlying googel client library that is responsible for authentocating.