Calling Google Cloud Services from AWS Using IAM Roles Without GCP Service Account Credentials

Workload Identity Federation Usage. Source: storage.googleapis.com

1. Time to Create a Pool and Provider(GCP)

2. A new service account with role(GCP)

3. Create a new AWS IAM Role with use case as EC2 instance

4. Create an EC2 instance with the newly created Role

5. Bind AWS Workload Identity with the Role ARN to the GCP service account

gcloud iam service-accounts add-iam-policy-binding gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com     --role=roles/iam.workloadIdentityUser     --member="principalSet://iam.googleapis.com/projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/attribute.aws_role/arn:aws:sts::[AWS_ACCOUNT_ID]:assumed-role/AWS_GCP_Identity_ROLE" --project [GCP_PROJECT]
gcloud iam workload-identity-pools create-cred-config \
projects/[GCP_ACCOUNT_ID]/locations/global/workloadIdentityPools/aws-identity-pool/providers/aws-provider \
--service-account=gcp-aws-identity@[GCP_PROJECT].iam.gserviceaccount.com \
--output-file=configoutput.json \
--aws

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store