Google Compute Cloud
Scalr offers two types of authentication for the Google Compute Cloud (GCP) provider. The OIDC generates temporary credentials for each run and is considered a best practice. The service account key method uses static credentials, which should be rotated regularly.
OIDC
The OIDC authentication method will create a temporary access token for each run avoiding the need to store static credentials in Scalr. A single OIDC provider can be linked to many workspaces, but each workspace can only have one OIDC provider linked to it.
GCP Steps
To enable this, the following must be done in GCP first (see GCP OIDC docs here):
Create a Workload Identity Pool
- Create a workload identity pool, the name is required while the ID and description are optional.
Create a Workload Identity Provider
- Register Scalr as the identity provider in the identity pool, the provider type must be
OIDC
. - Add the provider name, e.g.
scalr
. - The identity provider issuer URL is https://scalr.io (this must be an exact match).
- Leave the audience as the
Default audience
- Now add the provider attribute mappings with the following settings. The subject mapping is required, the rest are optional.
attribute_mapping = {
"google.subject" = "assertion.sub",
"attribute.aud" = "assertion.aud",
"attribute.scalr_run_phase" = "assertion.scalr_run_phase",
"attribute.scalr_workspace_id" = "assertion.scalr_workspace_id",
"attribute.scalr_workspace_name" = "assertion.scalr_workspace_name",
"attribute.scalr_environment_id" = "assertion.scalr_environment_id",
"attribute.scalr_environment_name" = "assertion.scalr_environment_name",
"attribute.scalr_account_id" = "assertion.scalr_account_id",
"attribute.scalr_account_name" = "assertion.scalr_account_name",
"attribute.scalr_run_id" = "assertion.scalr_run_id",
"attribute.scalr_tags" = "assertion.scalr_tags" # comma-separated list of workspace tags
}
- Optionally, you can add attribute conditions to restrict the access for tokens to specific workspaces in Scalr. For example, you can limit the provider to be available only in certain environments or workspaces e.g. by name or tag. From a security perspective, attribute conditions are considered a best practice.
Grant access
To grant access you can use a pre-configured service account or create a new one with the required IAM permissions by the workspace(s). Scalr doesn't require any extra permission.
Now, grant access between the needed service account and the created identity pool. See more on this in the Google docs here.
Lastly, download the ID token for the service account in JSON format. Google requires setting the path, which can simply be/
. Scalr will ignore the setting as it will be overridden when added to Scalr.
Scalr Steps
In Scalr, you must create a provider configuration by going to the account scope and then provider configurations. Select GCP and OIDC, then upload the JSON into Scalr.
Once the provider configuration is added, it should then be shared with the environment(s) and linked to the workspace(s).
Provider Example
The following is an example of how to configure this in Scalr with the Scalr Terraform provider:
resource "scalr_provider_configuration" "oidc" {
name = "oidc-main"
account_id = "acc-xxxxxxxxx"
google {
auth_type = "oidc"
service_account_email = "[email protected]"
workload_provider_name = "projects/123/locations/global/workloadIdentityPools/pool-name/providers/provider-name"
}
}
The above is an example, please see the full provider documentation here.
Service Account Key Method
Create the Credential in GCP
In GCP, create the service account and assign enough permissions to manage the intended GCP objects. See more in the GCP docs here.
Once the key is created, download it and store it in a secure place.
Create the Provider Configuration in Scalr
Once you have the JSON file, it can be uploaded into Scalr:
Share the configuration with environments and/or workspaces once it has been created. See more on this here.
Provider example
The following is an example of how to configure this in Scalr with the Scalr Terraform provider:
resource "scalr_provider_configuration" "service-account" {
name = "google_main"
account_id = "acc-xxxxxxxxx"
google {
project = "my-project"
credentials = "my-credentials"
}
}
The above is an example, please see the full provider documentation here.
Review the full provider configuration documents on how to link the provider configuration to an environment and workspace here
Enabling the Google Beta Provider
To use the configuration provider with the Google beta provider, you must enable the "export credentials as shell variables" option.
Updated about 1 month ago