This package enables AWS->GCP federation with two lines of code
Project description
Scalesec GCP Workload Identity Federation
This package provides a python module to federate access from AWS to GCP using Workload Identity
Quick start
# Create venv and install package
make setup
source .venv/bin/activate
pip install scalesec-gcp-workload-identity
# set up GCP credentials
gcloud auth login
# Enable the STS service in the project
gcloud services enable sts.googleapis.com
# The values below should be exported into the environment to be reused when calling the module later
# Create the GCP Workload Identity Pool
gcloud beta iam workload-identity-pools create "$gcp_workload_id" \
--location="global" \
--description="$gcp_workload_id" \
--display-name="$gcp_workload_id"
# Create the GCP Workload Identity AWS Provider
gcloud beta iam workload-identity-pools providers create-aws "$gcp_workload_provider" \
--location="global" \
--workload-identity-pool="$gcp_workload_id" \
--account-id="$aws_account_id"
# Add the appropriate IAM binding to a pre-existing service account
gcloud iam service-accounts add-iam-policy-binding $gcp_service_account_email \
--role roles/iam.workloadIdentityUser \
--member "principalSet://iam.googleapis.com/projects/$gcp_project_number/locations/global/workloadIdentityPools/$gcp_workload_id/attribute.aws_role/arn:aws:sts::${aws_account_id}:assumed-role/$aws_role_name"
Using the module
Getting a Service Account token is now simple
from scalesec_gcp_workload_identity.main import TokenService
token_service = TokenService(args...)
sa_token, expiry_date = token_service.get_token()
The arguments to TokenService can be taken from the environment if they were exported above:
from os import getenv
token_service = TokenService(
gcp_project_number=getenv('gcp_project_number'),
gcp_workload_id=getenv('gcp_workload_id'),
gcp_workload_provider=getenv('gcp_workload_provider'),
gcp_service_account_email=getenv('gcp_service_account_email'),
aws_account_id=getenv('aws_account_id'),
aws_role_name=getenv('aws_role_name'),
aws_region=getenv('aws_region')
)
Testing
# make a venv
make setup
Edit .env
with your values
# install deps
make dev
# run pytest
make test
Upload to PyPi
make dist VERSION=1.x.x
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for scalesec-gcp-workload-identity-1.0.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3f73efeb929402cad675ebaa38e2a43b51e6e175d489b0b149c9fc5173642cde |
|
MD5 | 70328dc9107de5ba51b57183a3c35e39 |
|
BLAKE2b-256 | 5c705a807624cfefc92b6aba0b19712ff65c8b342cddab193f293c498e407f3f |
Close
Hashes for scalesec_gcp_workload_identity-1.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1da50e58545cd1b4cb7cb187de869196b50bcf7f0210103abd0b964c50021442 |
|
MD5 | c2dd388e02e85663dece3cb7f9117340 |
|
BLAKE2b-256 | e9387ed561cf13c6c25ce5c5f26af0116caaa7a9215699b52f370129a4ab59da |