Thanks George for the excellent delivery and diagrams in explaining the GCP Workload Identity federation concept with the demo, it really helped in understanding end to end workflow between GitHub and GCP and the usage of WIF.
Thanks George for the wonderful explanation. I have a query related to service account key rotation how with the help of workload identity federation can this be achieved?
Hi. Thank you. But I have an issue. I have two repos. CICD repo and app repo. I only configured CICD repo with WIF setup. And WIF pool is different projects than my CICD repo. I have reusable workflows in the CICD repo. I am calling these from application repo which is not configured with WIF setup. I want to deploy or copy the jars from runner to gcs bucket. And all these steps included in CICD pipeline. Just app repo is calling this. It’s failing with 403 permissions denied error. It’s not storage permissions. It’s working only if I also configure WIF on app repo which I don’t want to do that. Is this even possible. Pls advise thanks
From what I understand from your description WIF is actually doing what it should. If it would authorise workloads from another [Gitlab or other CICD] project it means anyone could create such project and claim to have the same access level as the one configured by you within the pool for CICD project. Unless I understood your problem incorrectly, than maybe try to describe more specifically with steps, using unambiguous descriptions of 'project', 'repo', what app exactly means vs CICD. I recommend posting this on stackoverflow in Google Cloud Collective
HI Pedro, you can find more info on the workload identity federation docs here: cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#mappings-and-conditions
Wow. The most explanatory video I've seen on workflow Identity Federation
great demo. How would you do this for an application running on a local machine. What would be the identity provider in that scenario?
Thanks George for the excellent delivery and diagrams in explaining the GCP Workload Identity federation concept with the demo, it really helped in understanding end to end workflow between GitHub and GCP and the usage of WIF.
You're very welcome! Thanks for watching!
Excellent demo. Thanks !!
Thanks George for the wonderful explanation. I have a query related to service account key rotation how with the help of workload identity federation can this be achieved?
Hi. Thank you. But I have an issue.
I have two repos. CICD repo and app repo. I only configured CICD repo with WIF setup. And WIF pool is different projects than my CICD repo.
I have reusable workflows in the CICD repo. I am calling these from application repo which is not configured with WIF setup. I want to deploy or copy the jars from runner to gcs bucket. And all these steps included in CICD pipeline. Just app repo is calling this. It’s failing with 403 permissions denied error. It’s not storage permissions. It’s working only if I also configure WIF on app repo which I don’t want to do that. Is this even possible. Pls advise thanks
From what I understand from your description WIF is actually doing what it should. If it would authorise workloads from another [Gitlab or other CICD] project it means anyone could create such project and claim to have the same access level as the one configured by you within the pool for CICD project.
Unless I understood your problem incorrectly, than maybe try to describe more specifically with steps, using unambiguous descriptions of 'project', 'repo', what app exactly means vs CICD. I recommend posting this on stackoverflow in Google Cloud Collective
Can we create bulk service account keys in diff projects by using groovy script
Hi, where you found the documentation to know this sintax: ""repo:galonge/udemy-kustomize-mastery:red:refs/heads/main"?
HI Pedro, you can find more info on the workload identity federation docs here: cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#mappings-and-conditions
the json download part, if I download it can I use it in the same way I would use a service account?