🗝️

Github OIDC x GoogleCloud x CDKTF でキーレス認証

2021/12/15に公開

google-github-actions/auth: GitHub Action for authenticating to Google Cloud with GitHub Actions OIDC tokens and Workload Identity Federation.をCDKTFでやってみる

サービスアカウント作成

const ghActionSa = new ServiceAccount(this, "sa", {
    accountId: "my-service-account",
});

IAM Credentials API 有効化

new ProjectService(this, "iamcredentials.googleapis.com", {
  service: "iamcredentials.googleapis.com",
  disableOnDestroy: false,
})

Workload Identity Pool 作成

const idPool = new GoogleIamWorkloadIdentityPool(this, "id-pool", {
    provider: googleBeta,
    workloadIdentityPoolId: "my-pool",
    displayName: "Demo pool",
});

google-beta providerを使う
Poolは削除すると30日間同じ名前のPoolを作成できない

Workload Identity ProviderをPoolに作成

    new GoogleIamWorkloadIdentityPoolProvider(this, "id-provider", {
      provider: googleBeta,
      workloadIdentityPoolId: idPool.workloadIdentityPoolId,
      workloadIdentityPoolProviderId: "my-provider",
      displayName: "Demo provider",
      attributeMapping: {
        "google.subject": "assertion.sub",
        "attribute.actor": "assertion.actor",
        "attribute.repository": "assertion.repository",
        "attribute.aud": "assertion.aud",
      },
      oidc: {
        issuerUri: "https://token.actions.githubusercontent.com",
      },
    });

Workload Identity Providerからの認証がサービスアカウントになりすますことを許可


const REPO = "username/repo"

new ServiceAccountIamBinding(this, "bind-workloadidentity", {
    role: "roles/iam.workloadIdentityUser",
    serviceAccountId: ghActionSa.id,
    members: [
        `principalSet://iam.googleapis.com/${idPool.name}/attribute.repository/${REPO}`,
    ],
});

Discussion

ログインするとコメントできます