Blog

Keyless Google Cloud deployments from Azure Pipelines

08 Apr, 2024
Xebia Background Header Wave

Deploying Google Cloud (GCP) resources via Azure Pipelines used to require service account keys. Today, however, Azure DevOps OIDC tokens can be exchanged to Google credentials using Google Cloud Workload Identity Federation. This blog uses the Google Cloud Auth to do so.

Azure DevOps Google Cloud Deployment Pipeline Overview

The high-level deployment pipeline consists of two steps. First, the Google Credentials are exchanged. Second, the Google Cloud deployment is executed.

Setup overview

Use this blog to configure Google Cloud Workload Identity Federation for Azure DevOps.

Azure Pipeline Configuration

An example Terraform deployment pipeline is configured below:

steps:
- task: GcpWifAuth@0
  inputs:
    connectedServiceId: gcp-wip-ado
- task: TerraformInstaller@1
  inputs:
    terraformVersion: 'latest'
- task: Bash@3
  inputs:
    targetType: 'inline'
    script: 'terraform init'
    workingDirectory: 'terraform'
- task: Bash@3
  inputs:
    targetType: 'inline'
    script: 'terraform apply -auto-approve'
    workingDirectory: 'terraform'

The GcpWifAuth-task initializes an external account credentials-file and points the GOOGLE_APPLICATION_CREDENTIALS to it. The Google Auth library, as a result, will exchange the Azure DevOps OIDC token for a Google credential.

The credentials are executable-sourced, because the Create OIDC token url requires a POST method. Consequently, the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES is exported as well.

Google Cloud Workload Identity Federation Service Connection

The GcpWifAuth-task requires a service connection to authorize the pipeline for a specific Google Cloud resource. This Google Cloud Workload Identity Federation service connection specifies the workload identity pool provider and optionally the service account to assume:

Service connection

Bonus: Overriding The Assumed Service Account

The assumed service account, optionally, can be overriden in the step definition. This enables you to manage a single Workload Identity Pool Provider and Service connection, while accessing multiple service accounts. Note, however, that the Azure DevOps token only indicates that the pipeline is granted access to the Service connection, and not the target service account.

steps:
- task: GcpWifAuth@0
  inputs:
    connectedServiceId: gcp-wip-ado
    serviceAccount: special-deployment@my-project.iam.gserviceaccount.com

Conclusion

Replace service account keys with federated Google credentials. Reduce credential management using the GcpWifAuth-task.

Image by RENE RAUSCHENBERGER from Pixabay

Laurens Knoll
As a cloud consultant I enjoy improving what your company does best. I enable your business using cloud technology and enable your engineers by applying software engineering practices to your infrastructure domain.
Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts