This Terraform module creates a Workload Identity Pool and Provider for GitLab.
Service account keys are a security risk if compromised. Avoid service account keys and instead use the Workload Identity Federation. For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo Cyclenerd/google-workload-identity-federation.
There is also a ready-to-use Terraform module for GitHub.
Create Workload Identity Pool and Provider:
# Create Workload Identity Pool Provider for GitLab
module "gitlab-wif" {
source = "Cyclenerd/wif-gitlab/google"
version = "1.0.0"
project_id = "your-project-id"
}
# Get the Workload Identity Pool Provider resource name for GitLab CI configuration
output "gitlab-workload-identity-provider" {
description = "The Workload Identity Provider resource name"
value = module.gitlab-wif.provider_name
}An example of a working GitLab CI configuration (
.gitlab-ci.yml) can be found here.
Allow service account to login via Workload Identity Provider and limit login only from the GitLab repository (project path) octo-org/octo-repo:
# Get existing service account for GitLab CI
data "google_service_account" "gitlab" {
project = "your-project-id"
account_id = "existing-account-for-gitlab-ci"
}
# Allow service account to login via WIF and only from GitLab repository (project path)
module "gitlab-service-account" {
source = "Cyclenerd/wif-service-account/google"
version = "1.0.0"
project_id = "your-project-id"
pool_name = module.gitlab-wif.pool_name
account_id = data.google_service_account.gitlab.account_id
repository = "octo-org/octo-repo"
}Terraform module
Cyclenerd/wif-service-account/googleis used.
๐ More examples
Attribute mapping:
| Attribute | Claim |
|---|---|
google.subject |
assertion.sub |
attribute.sub |
assertion.sub |
attribute.repository |
assertion.project_path (not assertion.repository) |
attribute.user_login |
assertion.user_login |
attribute.ref |
assertion.ref |
| Name | Version |
|---|---|
| >= 4.61.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_audiences | Workload Identity Pool Provider allowed audiences | string |
"https://gitlab.com" |
no |
| issuer_uri | Workload Identity Pool Provider issuer URI | string |
"https://gitlab.com" |
no |
| pool_description | Workload Identity Pool description | string |
"Workload Identity Pool for GitLab (Terraform managed)" |
no |
| pool_disabled | Workload Identity Pool disabled | bool |
false |
no |
| pool_display_name | Workload Identity Pool display name | string |
"gitlab.com" |
no |
| pool_id | Workload Identity Pool ID | string |
"gitlab-com" |
no |
| project_id | The ID of the project | string |
n/a | yes |
| provider_description | Workload Identity Pool Provider description | string |
"Workload Identity Pool Provider for GitLab (Terraform managed)" |
no |
| provider_disabled | Workload Identity Pool Provider disabled | bool |
false |
no |
| provider_display_name | Workload Identity Pool Provider display name | string |
"gitlab.com OIDC" |
no |
| provider_id | Workload Identity Pool Provider ID | string |
"gitlab-com-oidc" |
no |
| Name | Description |
|---|---|
| pool_id | Identifier for the pool |
| pool_name | The resource name for the pool |
| pool_state | State of the pool |
| provider_id | Identifier for the provider |
| provider_name | The resource name of the provider |
| provider_state | State of the provider |
All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.