OIDC with Google Cloud

See the general OIDC documentation before diving into the Google Cloud specific setup.

Google Cloud Specific Setup

When configuring the token in the Mint Vault UI, it's customary to name the token gcp. You can then reference the token in your Mint run with:

${{ vaults.your_vault.oidc.gcp }}

After configuring Google Cloud to accept the token, you can use the google-cloud/auth-oidc leaf and pass the token in via the oidc-token parameter. See the documentation for the google-cloud/auth-oidc leaf.

The Mint OIDC token subject takes the form mint:{organization uuid}:{vault name} and is provided by Mint Vaults for the token that you configured. Use this value for <SUBJECT_ATTRIBUTE_VALUE> below, and replace <PROJECT_ID> with your appropriate Google Cloud project ID.

The vault name is included in the token subject. If you use multiple vaults — perhaps one for development resources and another for production resources — create multiple Workload Identity Providers.

When adding the OIDC token to Mint, you must provide the audience from the Workload Identity Provider. Mint will get the default audience below if you're using that.

OIDC Provider

Configure a workload provider and pool by following Google's Workload Identity Federation documentation.

When prompted for the new workload provider and pool settings, use the following values:

  • Issuer (URL): https://cloud.rwx.com/mint
  • Map the google.subject attribute to the assertion.sub claim
  • Add an attribute condition: google.subject == '<SUBJECT_ATTRIBUTE_VALUE>'

When using the gcloud CLI, a Workload Identity Pool can be created with:

gcloud iam workload-identity-pools create "mint-pool" \
  --project="<PROJECT_ID>" \
  --location="global" \
  --display-name="Mint Pool"

Get the full ID of the Workload Identity Pool with:

gcloud iam workload-identity-pools describe "mint-pool" \
  --project="<PROJECT_ID>" \
  --location="global" \
  --format="value(name)"

The Workload Identity Pool ID is in the format:

projects/123456789/locations/global/workloadIdentityPools/mint-pool

Replace <WORKLOAD_IDENTITY_POOL_ID> below with this value.

Create a Workload Identity Provider in the pool:

gcloud iam workload-identity-pools providers create-oidc "mint" \
  --project="<PROJECT_ID>" \
  --location="global" \
  --workload-identity-pool="mint-pool" \
  --display-name="Mint OIDC Provider" \
  --attribute-mapping="google.subject=assertion.sub" \
  --attribute-condition="google.subject == '<SUBJECT_ATTRIBUTE_VALUE>'" \
  --issuer-uri="https://cloud.rwx.com/mint"

Get the full Workload Identity Provider ID:

gcloud iam workload-identity-pools providers describe "mint" \
  --project="<PROJECT_ID>" \
  --location="global" \
  --workload-identity-pool="mint-pool" \
  --format="value(name)"

The Workload Identity Provider ID is in the format:

projects/123456789/locations/global/workloadIdentityPools/mint-pool/providers/mint

Use this value for the workload-identity-provider in the google-cloud/auth-oidc leaf.

The Workload Identity Provider ID can be used to generate the default audience when setting up the OIDC token in your Mint vault by prefixing it with //iam.googleapis.com. It can be found using the gcloud CLI:

echo "//iam.googleapis.com/$(gcloud iam workload-identity-pools providers describe 'mint' \
  --project='<PROJECT_ID>' \
  --location='global' \
  --workload-identity-pool='mint-pool' \
  --format='value(name)')"

//iam.googleapis.com/<WORKLOAD_IDENTITY_POOL_ID>/providers/mint

If you're using the default audience, you may now add the OIDC token to your Mint Vault, using the value above as the audience.

If you've configured your provider to use a different audience, provide it to the google-cloud/auth-oidc leaf and as the audience for the Mint Vault OIDC token.

If you aren't using a Google Cloud Service Account, you may add permissions directly to the provider. For example, access is provided to the secret my-secret here:

gcloud secrets add-iam-policy-binding "my-secret" \
  --project="<PROJECT_ID>" \
  --role="roles/secretmanager.secretAccessor" \
  --member="principalSet://iam.googleapis.com/<WORKLOAD_IDENTITY_POOL_ID>/subject/<SUBJECT_ATTRIBUTE_VALUE>"

Authenticating as a Service Account (optional)

When authenticating as a Google Cloud Service Account, access must be granted to allow the Mint OIDC provider to impersonate the account:

gcloud iam service-accounts add-iam-policy-binding "my-service-account@<PROJECT_ID>.iam.gserviceaccount.com" \
  --project="<PROJECT_ID>" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principal://iam.googleapis.com/<WORKLOAD_IDENTITY_POOL>/subject/<SUBJECT_ATTRIBUTE_VALUE>"

Use the service account email address ID value for the service-account in the google-cloud/auth-oidc leaf.