Calling Google Cloud Services from AWS Using IAM Roles Without GCP Service Account Credentials

Workload Identity Federation Usage. Source: storage.googleapis.com
  1. Create identity pool and provider
  2. Create a new service account and add roles/iam.workloadIdentityUser to the account
  3. Create a new AWS IAM Role with trusted entity as EC2 instance
  4. Create an EC2 instance with the newly created Role
  5. Bind AWS Workload Identity with the Role ARN to the GCP service account
  6. Call Google Cloud service from EC2 without service account credential file

1. Time to Create a Pool and Provider(GCP)

Head to Workload Identity Federation under Google Cloud IAM. I gave it a name aws-identity-pool

2. A new service account with role(GCP)

Under Google Cloud IAM, there is Service accounts section. Create a new service account with Workload Identity User role. I gave it a name gcp-aws-identity

3. Create a new AWS IAM Role with use case as EC2 instance

Head over to IAM/Roles from AWS console and “Create role”.

4. Create an EC2 instance with the newly created Role

A new instance with port 22 open is preferred for a quick check. Attach the newly created role into the instance.

5. Bind AWS Workload Identity with the Role ARN to the GCP service account

Run the following command from Google Cloud Shell or any authenticated environment by replacing GCP_ACCOUNT_ID, AWS_ACCOUNT_ID and GCP_PROJECT with your own.

gcloud iam service-accounts add-iam-policy-binding gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com     --role=roles/iam.workloadIdentityUser     --member="principalSet://iam.googleapis.com/projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/attribute.aws_role/arn:aws:sts::[AWS_ACCOUNT_ID]:assumed-role/AWS_GCP_Identity_ROLE" --project [GCP_PROJECT]
gcloud iam workload-identity-pools create-cred-config \
projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/providers/aws-provider \
--service-account=gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com \
--output-file=configoutput.json \
--aws

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store