Calling Google Cloud Services from AWS Using IAM Roles Without GCP Service Account Credentials
If we are inside Google Cloud and want to call any GCP services, we prefer using Service Account with Access Scope which makes the identity and API access lot more easier. No burden of handling credential keys but the specific service will have access to another service or API call.
But if we want to call GCP services out of Google Cloud environment, service account credential is the normal way. We create a new Service Account, assign the required permission and generate key for that account. Then referencing the key path from code or gcloud cli for authentication purpose.
If you are on AWS environment, the key file with credential is no more required. We can use AWS IAM role as authentication mechanism for calling Google Cloud resources. Yes, this is possible by the use of Workload identity federation. The identity federation can be used with Amazon Web Services (AWS), or with any identity provider that supports OpenID Connect (OIDC), such as Microsoft Azure, or SAML 2.0 Preview. Means, the multi-cloud approach is much broader and easier.
Let’s dive into it by going through what steps we will be doing:
- Create identity pool and provider
- Create a new service account and add
roles/iam.workloadIdentityUser
to the account - Create a new AWS IAM Role with trusted entity as EC2 instance
- Create an EC2 instance with the newly created Role
- Bind AWS Workload Identity with the Role ARN to the GCP service account
- Call Google Cloud service from EC2 without service account credential file
1. Time to Create a Pool and Provider(GCP)
Head to Workload Identity Federation under Google Cloud IAM. I gave it a name aws-identity-pool
Next, adding provider to the pool. Setting provider name as aws
and provider id as aws-provider
with the AWS account ID for the binding.
And create the pool.
2. A new service account with role(GCP)
Under Google Cloud IAM, there is Service accounts section. Create a new service account with Workload Identity User role. I gave it a name gcp-aws-identity
Adding the role for user and done!
3. Create a new AWS IAM Role with use case as EC2 instance
Head over to IAM/Roles from AWS console and “Create role”.
No permission is required. I saved it with name “AWS_GCP_Identity_ROLE”.
4. Create an EC2 instance with the newly created Role
A new instance with port 22 open is preferred for a quick check. Attach the newly created role into the instance.
5. Bind AWS Workload Identity with the Role ARN to the GCP service account
Run the following command from Google Cloud Shell or any authenticated environment by replacing GCP_ACCOUNT_ID, AWS_ACCOUNT_ID and GCP_PROJECT with your own.
gcloud iam service-accounts add-iam-policy-binding gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com --role=roles/iam.workloadIdentityUser --member="principalSet://iam.googleapis.com/projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/attribute.aws_role/arn:aws:sts::[AWS_ACCOUNT_ID]:assumed-role/AWS_GCP_Identity_ROLE" --project [GCP_PROJECT]
And create the credential config
gcloud iam workload-identity-pools create-cred-config \
projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/providers/aws-provider \
--service-account=gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com \
--output-file=configoutput.json \
--aws
By using the above generated configoutput.json
, we can call GCP service from AWS from the instance which is attached with the IAM role. The json file doesn’t have actual service account credential but only few variables for