Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bschaatsbergen/keyless-auth-gcp-hcp-terraform

Keyless Google Cloud Access from HCP Terraform
https://github.com/bschaatsbergen/keyless-auth-gcp-hcp-terraform

google-cloud oidc workload-identity-federation

Last synced: 19 days ago
JSON representation

Keyless Google Cloud Access from HCP Terraform

Host: GitHub
URL: https://github.com/bschaatsbergen/keyless-auth-gcp-hcp-terraform
Owner: bschaatsbergen
Created: 2024-04-14T20:13:34.000Z (9 months ago)
Default Branch: main
Last Pushed: 2024-04-18T09:51:26.000Z (9 months ago)
Last Synced: 2024-11-03T08:14:04.414Z (2 months ago)
Topics: google-cloud, oidc, workload-identity-federation
Language: HCL
Homepage:
Size: 10.7 KB
Stars: 4
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Keyless Google Cloud Access from HCP Terraform

Securely access Google Cloud from HCP Terraform using Google's Workload Identity Federation, eliminating the need for storing service account keys.

## What is identity federation?
Identity federation lets HCP Terraform impersonate a service account through its native OpenID Connect integration and obtain a short-lived OAuth 2.0 access token. This short-lived access token lets you call any Google Cloud APIs that the service account has access to at runtime, making your HCP Terraform runs much more secure.

## Using Workload Identity Federation
Using HashiCorp Terraform, you have the ability to create a Workload Identity [Pool](https://cloud.google.com/iam/docs/workload-identity-federation#pools) and [Provider](https://cloud.google.com/iam/docs/workload-identity-federation#providers), which HCP Terraform uses to request a federated token from. This token is then passed to the Google Terraform provider, which impersonates a service account to obtain temporary credentials to plan or apply Terraform with.