Calling Google Cloud Services from AWS Using IAM Roles Without GCP Service Account Credentials

If we are inside Google Cloud and want to call any GCP services, we prefer using Service Account with Access Scope which makes the identity and API access lot more easier. No burden of handling credential keys but the specific service will have access to another service or API call.

But if we want to call GCP services out of Google Cloud environment, service account credential is the normal way. We create a new Service Account, assign the required permission and generate key for that account. Then referencing the key path from code or gcloud cli for authentication purpose.

If you are on AWS environment, the key file with credential is no more required. We can use AWS IAM role as authentication mechanism for calling Google Cloud resources. Yes, this is possible by the use of Workload identity federation. The identity federation can be used with Amazon Web Services (AWS), or with any identity provider that supports OpenID Connect (OIDC), such as Microsoft Azure, or SAML 2.0 Preview. Means, the multi-cloud approach is much broader and easier.

Workload Identity Federation Usage. Source: storage.googleapis.com

Let’s dive into it by going through what steps we will be doing:

1. Time to Create a Pool and Provider(GCP)

Head to Workload Identity Federation under Google Cloud IAM. I gave it a name aws-identity-pool

Next, adding provider to the pool. Setting provider name as aws and provider id as aws-provider with the AWS account ID for the binding.

And create the pool.

2. A new service account with role(GCP)

Under Google Cloud IAM, there is Service accounts section. Create a new service account with Workload Identity User role. I gave it a name gcp-aws-identity

Adding the role for user and done!

3. Create a new AWS IAM Role with use case as EC2 instance

Head over to IAM/Roles from AWS console and “Create role”.

No permission is required. I saved it with name “AWS_GCP_Identity_ROLE”.

4. Create an EC2 instance with the newly created Role

A new instance with port 22 open is preferred for a quick check. Attach the newly created role into the instance.

5. Bind AWS Workload Identity with the Role ARN to the GCP service account

Run the following command from Google Cloud Shell or any authenticated environment by replacing GCP_ACCOUNT_ID, AWS_ACCOUNT_ID and GCP_PROJECT with your own.

gcloud iam service-accounts add-iam-policy-binding gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com     --role=roles/iam.workloadIdentityUser     --member="principalSet://iam.googleapis.com/projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/attribute.aws_role/arn:aws:sts::[AWS_ACCOUNT_ID]:assumed-role/AWS_GCP_Identity_ROLE" --project [GCP_PROJECT]

And create the credential config

gcloud iam workload-identity-pools create-cred-config \
projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/providers/aws-provider \
--service-account=gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com \
--output-file=configoutput.json \
--aws

By using the above generated configoutput.json , we can call GCP service from AWS from the instance which is attached with the IAM role. The json file doesn’t have actual service account credential but only few variables for

--

--

DevOps | SRE | #GDE

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store