Workload Identity Federation (WIF)
Use WIF to connect AWS resources with GCP
Resources in AWS (ec2 instance, lambda, etc.) accessing/consuming resources in GCP projects using workload identity federation.
Scenario:
- Each ec2 instance in aws may have different iam role binding attached to them for providing access parameters to access services within aws. For it to access a GCP resource for eg: storage bucket it needs access parameters and in this case it will be passed via sts(session token service), WIF reads through the configuration and allows the resource to be accessed.
WIF Implementation:
- Enable APi’s
- IAM, Resource Manager, Service Account Credentials, and Security Token Service APIs
- Roles
- Workload identity provider (admin)
- Organization admin
Org Policy modification
- Add the AWS account ID to further isolate to the AWS account from where the access request gets initiated
Add “https://sts.amazonaws.com”in the policy
- Navigate to IAM & Admin under Pinned products and click on “Workload Identity Federation”
- It will launch the below Get started window
- Provide details for creating an Identity pool and click on continue
- Select AWS as the provider in the next stage for further configuring the workload identity pool
- After choosing AWS as the provider, add more details in individual tabs as below
- In the AWS account ID section, add the respective AWS Account ID for enabling WIF. Once the configuration is saved and applied the WIF(provider pool) gets created
For AWS ec2 or lambda to access a GCS bucket hosted on GCP we need to create a service account in GCP without having the service account key generated.
Click on the “grant access” and select the service account that you want to configure which will be used in the WIF for providing access to the AWS resource that will access on GCP environment / project
- Download the Client Library Config json file which will be later used to reference in the ec2 instance that will need to access GCP resources.
Prerequisites on AWS side:
- Create / deploy ec2 instance with an IAM role attached
Prerequisites on GCP side:
- Ensure
- arn:aws:sts::[aws-account-number]:assumed-role/[ec2-iam-role] is associated in the mapping of aws-role of the WIF provider
- Login to the ec2 instance copy this config file over to it and associate to the application or script which uses this config file to access the GCP resource over WIF.
References:
https://cloud.google.com/iam/docs/workload-identity-federation#why