►
From YouTube: Setting Up OIDC to Get Credentials from Google Cloud
Description
Contents:
1:11 - Steps overview
2:00 - Creating the workload ID pool and provider
6:22 - Creating a service account
10:18 - Creating a blank GitLab project
11:18 - Writing a script to generate a GCP access token
14:14 - Setting CI/CD variables to point to a GCP account
16:57 - Configuring a pipeline to get credentials
Docs:
GitLab OIDC for GCP: https://docs.gitlab.com/ee/ci/cloud_services/google_cloud
GCP Workload Identity Pool and Provider: https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds#create_the_workload_identity_pool_and_provider
A
The
reason
you
might
want
to
do
this
is,
if
you
are
trying
to
work
with
Google
Cloud
as
part
of
your
pipeline
to
say,
create
or
destroy
a
server
access,
your
storage
or
so
on,
and
you
want
to
do
this
in
a
secure
manner.
Ideally
to
do
that,
we
can
leverage
credentials
and
access
token
that
will
be
generated
using
open
identity,
connect
and
we'll
take
a
look
in
this
video.
How
we
can
do
that
now,
just
to
give
you
an
idea
of
what
the
end
result
is
going
to
look
like
for
this.
A
So
the
checklist
here
will
take
you
to
this
link,
which
describes
in
our
documentation
how
you
can
configure
oidc
connect
or
oidc,
rather
with
gcp,
and
we're
just
going
to
follow
this
step
by
step.
There's
three
main
sections
here
that
we're
going
to
follow
at
least
how
I
think
of
it
is
we're
first,
creating
a
Google,
Cloud
workload,
identity,
pool
and
provider.
A
A
That's
what
we
want
to
do
this
link
here
that
says:
go
to
new
workload,
provider
and
pool
will
take
us
conveniently
to
the
page
that
we
need
to
go
to
and
I'll
move
this
over
to
this
page,
and
in
here
we
can
start
by
just
giving
it
a
name.
So
this
identity
pool
I
will
call
it
gitlab
demo
who-
and
you
can
give
it
a
description
if
you
want
I'll,
just
click
continue
and
now
we
need
to
add
a
provider
to
it.
So
we
just
clear
this
first
section
now.
A
The
second
part
is
to
create
a
workload,
identity
provider
and
we're
using
oidc
here.
So
that's
what
I'm
going
to
select
in
this
drop
down
here
for
select
a
provider
I'll,
give
it
a
name
and
I'll
follow
this
format.
That's
listed
in
the
documentation,
but
I'll
name
it
a
little
bit
different,
so
I'll
call
it
gitlab
demo
or
slash
gitlab
right.
A
So
I
have
a
word
or
phrase
Slash
another
word
and
then
the
ID
we
can
enter
that
it
may
generate
a
an
ID
automatically
for
you
or
I
can
set
one
myself
manually
this
way,
and
now
we
can
set
our
issuer
URL,
since
I
will
be
using
gitlab.com
for
this
process,
I'm
going
to
use
gitlab.com
with
https
at
the
beginning
and
a
trilling
slash
at
the
end
as
my
issue
URL
so
make
sure
it
looks
exactly
like
this
with
the
again
the
drilling
slash
and
the
https
at
the
beginning
and
I'll
set
the
audiences
to
allowed
audiences,
because
I
want
to
manually
specify
this
value
here.
A
So
in
this
case
it's
just
the
same
thing
as
the
issue.
Url
except
I
am
not
putting
a
trailing
slash
here
right.
You
cannot
have
that
here
and
this
is
for
again
the
cloud
hosted
version,
but
if
you
have
self-hosted,
then
you
would
use
the
address
of
that
self-hosted
gitlab
instance.
In
the
issue
URL
and
your
audience
now
we
can
click
continue
and
we
move
on
to
setting
our
attributes.
A
It
says
any
attribute
that
you
have
on
the
Google
side
is
just
going
to
equal
to
assertion
dot
whatever
that
attribute
is
on
the
gitlab
side,
and
in
this
case
what
we
want
is
actually
attribute
dot
user
underscore
login,
so
I'm
going
to
put
that
in
there
attribute
dot
user
underscore
login
and
on
the
gitlab
side,
it'll
be
the
same
thing
except
we
have
assertion
instead
of
attribute
so
attribute.user
login
and
assertion.user
underscore
login
here
all
right
and
that's
it.
So
we
have
our
attributes
mapped
properly,
and
now
we
can
click
save.
A
A
A
So
when
the
service
accounts
in
a
new
tab-
and
we
can
click
create
service
account,
you
may
see
it
at
the
top
here
since
my
windows,
smaller
click,
the
three
dots
there
and
create
service
account
and
I'll
call
this
gitlab
demo
account
name
it
whatever
you
like,
and
it's
May
should
automatically
generate
an
account
ID
for
you.
Otherwise
fill
that
out
as
well,
and
you
can
optionally
add
a
description.
A
I
want
this
account
to
be
able
to
impersonate
itself,
so
it's
described
in
the
documentation
here,
but
basically
you
want
to
make
sure
that
we
access,
we
provide
it
with
or
stuff
that
that
basic
permission
so
in
this
drop
down
here
for
selected
roll,
you
can
either
type
the
filter
or
I'm
just
going
to
scroll
down
to
it
that
there's
service
accounts
here
and
in
the
service
account
section.
We
are
looking
for
the
service
account
token
Creator
permission
that'll
allow
us
to
impersonate
service
accounts.
A
A
A
A
I'm
going
to
copy
this
value
here
from
my
from
my
identity
pool
that
I
created
I'm,
going
to
copy
this
I
in
principal
value
and
paste
that,
in
here
in
the
service
accounts
principle
value
here,
okay,
and
for
that
principle,
I'm
going
to
assign
the
rule
the
same
rule
that
we
talked
about
earlier,
the
service
account
token
creator
so
make
sure
that's
selected,
and
then
we
can
click
save
and
now
I
can
see
here
there
is
a
row
for
that
principle.
Set
URL
and
we
have
the
permissions
set
to
it
or
service
account
token
Creator.
A
A
The
the
text
here
so
I'm
going
to
copy
this
paste
that
in
there
then
add
a
new
line
copy
this
paste
that
there
and
on
a
new
line
copy
this
and
paste
that
there
these
commands
are
basically
saying
that
we're
generating
a
payload
we're
getting
a
Federated
token
out
of
that
payload,
and
then
we
are
generating
an
access
token.
Based
on
that
Federated
token,
it's
using
a
curl
to
do
that
when
we
have
this
access
token,
we
are
going
to
want
to
actually
print
it
out
for
this
use
case.
A
A
What
we're
going
to
do
is
we're
going
to
leverage
gitlab's,
CI
CD
variables,
so
to
do
that
I'm
going
to
turn
this
into
a
variable
I'm
going
to
wrap
this
again,
just
as
we
did
for
the
Federated
token
I'm
going
to
wrap
this
in
curly
brackets
and
add
a
dollar
sign
and
do
the
same
thing
for
my
pool,
ID
and
or
my
provider
id
as
well
and
there's
a
fourth
one
here
in
the
last
piece
service
account
email.
So
I
will
do
same
for
that
as
well.
A
A
And
once
we
have
that
we
have
two
more
things
left
to
do:
first,
we're
going
to
set
the
variables
the
cicd
variables
for
this
to
use
so
I'll
go
ahead
and
do
that
I'll
go
to
my
cicd
settings
here
from
the
settings.
Tab
and
I'll.
Actually
I'll
move
this
over
here.
So
I
have
my
variables
readily
available.
A
So
in
CI
CD
settings
we
can
go
into
our
variables
and
expand
that
I'm
going
to
add
four
variables,
the
ones
that
we
just
highlighted.
So
we
have
our
project
number
rule,
ID
provider,
id
and
service
account
email
to
start.
I'll
start
with
the
project.
Number
click
add
variable,
set
the
project
number
as
a
key,
and
the
value
of
this
will
be
the
project
number.
That
is
not
the
project
name,
but
rather
a
separate
number,
which
is
kind
of
hard
to
find.
A
A
The
next
variable
I'll
create
is
the
pool
ID
and
the
value
for
this
is
going
to
be
the
all
ID
that
we
had
so
your
lab
demo
pool
Supply
made.
So
that's
my
ID
I'll.
Add
that
as
a
variable,
then
we'll
go
on
to
the
provider
id
which
will
be
the
provider
we
created
and
it's
not
the
display
name.
So
don't
copy
this.
A
Actually,
if
you
recall,
we
set
the
ID
as
we
replace
the
slash
with
a
dash,
so
like
I
can
confirm
this
by
quick
clicking
edit
on
that
provider
and
you'll,
see
here
below
the
name
of
the
provider
that
ID
is
listed.
So
I
can
copy
that
and
paste
that
as
the
value
again,
we
just
replace
the
slash
with
the
dash
there.
That's
what
your
ID
should
be,
and
then
click
add
variable
and
then
finally,
for
the
service
account
email.
A
That
will
be
the
email
address
that
you
saw
in
the
details.
Page
of
your
service
account.
So
if
you
click
into
again
your
service
accounts-
and
we
click
on
the
service
account
that
we
just
created
your
email
will
be
listed
right
here,
so
I'll
copy
that
paste
it
there
get
rid
of
those
new
lines
and
click
add
variable
all
right,
so
I
should
see
four
variables
that
I've
just
created
now
and
we're
good
to
go
on
the
cicd
variables
side
of
things
so
now.
A
A
All
we're
going
to
do
is
I'm
going
to
first
give
this
it's
just
going
to
be
one
job,
so
I'll
give
it
a
name.
I'll,
say:
credential
get
credentials,
that's
what
I'm
going
to
call
it,
but
you
can
put
anything
there
and
now
we
need
to
specify
the
image
that
we're
going
to
use,
in
this
case
we're
going
to
use
an
image
that
has
both
curl
and
JQ
installed
already.
So
this
one
is
dwdr-h-a-u.