This package enables AWS->GCP federation with two lines of code

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ilanp from gravatar.com ilanp Avatar for jdyke from gravatar.com jdyke

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache License 2.0)

Author: ScaleSec

Requires: Python >= 3.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*

Classifiers

Project description

Scalesec GCP Workload Identity Federation

This package provides a python module to federate access from AWS to GCP using Workload Identity

Quick start

# Create venv and install package
make setup
source .venv/bin/activate
pip install scalesec-gcp-workload-identity

# set up GCP credentials
gcloud auth login

# Enable the STS service in the project
gcloud services enable sts.googleapis.com

# The values below should be exported into the environment to be reused when calling the module later

# Create the GCP Workload Identity Pool
gcloud beta iam workload-identity-pools create "$gcp_workload_id" \
  --location="global" \
  --description="$gcp_workload_id" \
  --display-name="$gcp_workload_id"

# Create the GCP Workload Identity AWS Provider
gcloud beta iam workload-identity-pools providers create-aws "$gcp_workload_provider" \
  --location="global" \
  --workload-identity-pool="$gcp_workload_id" \
  --account-id="$aws_account_id" 

# Add the appropriate IAM binding to a pre-existing service account
gcloud iam service-accounts add-iam-policy-binding $gcp_service_account_email \
  --role roles/iam.workloadIdentityUser \
  --member "principalSet://iam.googleapis.com/projects/$gcp_project_number/locations/global/workloadIdentityPools/$gcp_workload_id/attribute.aws_role/arn:aws:sts::${aws_account_id}:assumed-role/$aws_role_name"

Using the module

Set your AWS credentials

export AWS_PROFILE=xyz

Getting a Service Account token is now simple:

from scalesec_gcp_workload_identity.main import TokenService

token_service = TokenService(args...)
sa_token, expiry_date = token_service.get_token()

The arguments to TokenService can be ingested from the environment if they were exported above:

from os import getenv

token_service = TokenService(
  gcp_project_number=getenv('gcp_project_number'),
  gcp_workload_id=getenv('gcp_workload_id'),
  gcp_workload_provider=getenv('gcp_workload_provider'),
  gcp_service_account_email=getenv('gcp_service_account_email'),
  aws_account_id=getenv('aws_account_id'),
  aws_role_name=getenv('aws_role_name'),
  aws_region=getenv('aws_region')
)

Testing

# make a venv
make setup

Edit .env with your values

# install deps
make dev

# run pytest
make test

Upload to PyPi

Set your token/credentials in ~/.pypirc

make dist VERSION=1.x.x

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ilanp from gravatar.com ilanp Avatar for jdyke from gravatar.com jdyke

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache License 2.0)

Author: ScaleSec

Requires: Python >= 3.6, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*

Classifiers

Release history Release notifications | RSS feed

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

This version

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

scalesec-gcp-workload-identity-1.0.1.tar.gz (5.7 kB view hashes)

Uploaded Source

Built Distribution

scalesec_gcp_workload_identity-1.0.1-py3-none-any.whl (10.4 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page