🗝️
Github OIDC x GoogleCloud x CDKTF でキーレス認証
サービスアカウント作成
const ghActionSa = new ServiceAccount(this, "sa", {
accountId: "my-service-account",
});
IAM Credentials API 有効化
new ProjectService(this, "iamcredentials.googleapis.com", {
service: "iamcredentials.googleapis.com",
disableOnDestroy: false,
})
Workload Identity Pool 作成
const idPool = new GoogleIamWorkloadIdentityPool(this, "id-pool", {
provider: googleBeta,
workloadIdentityPoolId: "my-pool",
displayName: "Demo pool",
});
google-beta providerを使う
Poolは削除すると30日間同じ名前のPoolを作成できない
Workload Identity ProviderをPoolに作成
new GoogleIamWorkloadIdentityPoolProvider(this, "id-provider", {
provider: googleBeta,
workloadIdentityPoolId: idPool.workloadIdentityPoolId,
workloadIdentityPoolProviderId: "my-provider",
displayName: "Demo provider",
attributeMapping: {
"google.subject": "assertion.sub",
"attribute.actor": "assertion.actor",
"attribute.repository": "assertion.repository",
"attribute.aud": "assertion.aud",
},
oidc: {
issuerUri: "https://token.actions.githubusercontent.com",
},
});
Workload Identity Providerからの認証がサービスアカウントになりすますことを許可
const REPO = "username/repo"
new ServiceAccountIamBinding(this, "bind-workloadidentity", {
role: "roles/iam.workloadIdentityUser",
serviceAccountId: ghActionSa.id,
members: [
`principalSet://iam.googleapis.com/${idPool.name}/attribute.repository/${REPO}`,
],
});
Discussion