This package enables AWS->GCP federation with two lines of code
Project description
Scalesec GCP Workload Identity Federation
This package provides a python module to federate access from AWS to GCP using Workload Identity
Quick start
# Create venv and install package
make setup
source .venv/bin/activate
pip install scalesec-gcp-workload-identity
# set up GCP credentials
gcloud auth login
# Enable the STS service in the project
gcloud services enable sts.googleapis.com
# The values below should be exported into the environment to be reused when calling the module later
# Create the GCP Workload Identity Pool
gcloud beta iam workload-identity-pools create "$gcp_workload_id" \
--location="global" \
--description="$gcp_workload_id" \
--display-name="$gcp_workload_id"
# Create the GCP Workload Identity AWS Provider
gcloud beta iam workload-identity-pools providers create-aws "$gcp_workload_provider" \
--location="global" \
--workload-identity-pool="$gcp_workload_id" \
--account-id="$aws_account_id"
# Add the appropriate IAM binding to a pre-existing service account
gcloud iam service-accounts add-iam-policy-binding $gcp_service_account_email \
--role roles/iam.workloadIdentityUser \
--member "principalSet://iam.googleapis.com/projects/$gcp_project_number/locations/global/workloadIdentityPools/$gcp_workload_id/attribute.aws_role/arn:aws:sts::${aws_account_id}:assumed-role/$aws_role_name"
Using the module
Set your AWS credentials
export AWS_PROFILE=xyz
Getting a Service Account token is now simple:
from scalesec_gcp_workload_identity.main import TokenService
token_service = TokenService(args...)
sa_token, expiry_date = token_service.get_token()
The arguments to TokenService can be ingested from the environment if they were exported above:
from os import getenv
token_service = TokenService(
gcp_project_number=getenv('gcp_project_number'),
gcp_workload_id=getenv('gcp_workload_id'),
gcp_workload_provider=getenv('gcp_workload_provider'),
gcp_service_account_email=getenv('gcp_service_account_email'),
aws_account_id=getenv('aws_account_id'),
aws_role_name=getenv('aws_role_name'),
aws_region=getenv('aws_region')
)
Testing
# make a venv
make setup
Edit .env
with your values
# install deps
make dev
# run pytest
make test
Upload to PyPi
Set your token/credentials in ~/.pypirc
make dist VERSION=1.x.x
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for scalesec-gcp-workload-identity-1.0.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | d70f4b55be804546f8bf1e7bc104481a7d8872d2d1044232403d69981682c4a5 |
|
MD5 | 105ede7006a45c330ac5570829a1c257 |
|
BLAKE2b-256 | 388a95067ca57e0d767059a0ccf3af6a882d35026c81d538a9cbb6a8b96890f0 |
Close
Hashes for scalesec_gcp_workload_identity-1.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7bc96b86c0b61ec1b56a21fc947df5f4b5e0276024239b0379dc20a8cd1c93bc |
|
MD5 | a481263619808214d72362f0ef831b57 |
|
BLAKE2b-256 | 87aeeb7dbc87599103687aa5624ca1b130e7bb50b9f96ce89cfcbd51c512fd39 |