diff options
Diffstat (limited to 'doc/ci/cloud_services/google_cloud/index.md')
-rw-r--r-- | doc/ci/cloud_services/google_cloud/index.md | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/doc/ci/cloud_services/google_cloud/index.md b/doc/ci/cloud_services/google_cloud/index.md index 5ed22883518..d99b50b5013 100644 --- a/doc/ci/cloud_services/google_cloud/index.md +++ b/doc/ci/cloud_services/google_cloud/index.md @@ -114,6 +114,17 @@ the assertion in the previous section. After you configure the OIDC and role, the GitLab CI/CD job can retrieve a temporary credential from the [Google Cloud Security Token Service (STS)](https://cloud.google.com/iam/docs/reference/sts/rest). +Add `id_tokens` to your CI/CD job: + +```yaml +job: + id_tokens: + GITLAB_OIDC_TOKEN: + aud: https://gitlab.example.com +``` + +Get temporary credentials using the ID token: + ```shell PAYLOAD="$(cat <<EOF { @@ -122,7 +133,7 @@ PAYLOAD="$(cat <<EOF "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token", "scope": "https://www.googleapis.com/auth/cloud-platform", "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt", - "subjectToken": "${CI_JOB_JWT_V2}" + "subjectToken": "${GITLAB_OIDC_TOKEN}" } EOF )" @@ -142,8 +153,7 @@ Where: - `PROJECT_NUMBER` is your Google Cloud project number (not name). - `POOL_ID` is the ID of the Workload Identity Pool created in the first section. - `PROVIDER_ID` is the ID of the Workload Identity Provider created in the second section. -- `CI_JOB_JWT_V2` is injected into the CI/CD job by GitLab. For more information about - this variable, read [Connect to cloud services](../index.md). +- `GITLAB_OIDC_TOKEN` is an OIDC [ID token](../../yaml/index.md#id_tokens). You can then use the resulting federated token to impersonate the service account created in the previous section: |