This repository provides a Terraform script to create and configure Workload Identity Federation (WIDF) in Google Cloud Platform (GCP). The setup includes a Workload Identity Pool, Provider, Service Account, and IAM bindings.
-
Terraform installed.
-
A GCP project with billing enabled.
-
A valid service account key file (key.json).
-
Creates a Workload Identity Pool.
-
Adds an OIDC Provider to the pool.
-
Creates a Service Account.
-
Binds the Service Account to the Workload Identity Pool.
-
Assigns necessary IAM roles.
main.tf
Contains the Terraform configuration to create the resources.
variables.tf
Defines all variables required for the script.
git clone https://github.com/<your-username>/<your-repo-name>.git
cd <your-repo-name>
Create a terraform.tfvars file and define the required variables:
project_id = "your-gcp-project-id"
impersonated-sa = "your-impersonated-service-account"
sa_id_suffix = "your-service-account-id-suffix"
pool_id_suffix = "your-pool-id-suffix"
display_name_pool = "Workload Identity Pool"
description_for_pool = "Description for Workload Identity Pool"
pool_status = false
provider_id = "your-provider-id"
display_name_provider = "OIDC Provider"
attribute_condition = "<your-attribute-condition>"
description_for_provider = "Description for the Provider"
attribute_mapping = {
"google.subject" = "assertion.sub"
}
oidc_issuer_uri = "https://example.com"
wid_role = "roles/iam.workloadIdentityUser"
member_sa = "serviceAccount:"
member = "principalSet://iam.googleapis.com/"
terraform init
terraform validate
terraform apply
Confirm the plan and wait for the resources to be created.
-
Workload Identity Pool ID
-
Service Account Name
-
IAM Binding Status
To delete all resources created by this configuration, run:
terraform destroy