| Ryan Kohler | 48e8be3 | 2021-03-25 17:35:43 -0700 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | # Copyright 2021 Google LLC |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
| 15 | |
| 16 | # This file is a mostly common setup file to ensure all workload identity |
| 17 | # federation integration tests are set up in a consistent fashion across the |
| 18 | # languages in our various client libraries. It assumes that the current user |
| 19 | # has the relevant permissions to run each of the commands listed. |
| 20 | |
| 21 | # This script needs to be run once. It will do the following: |
| 22 | # 1. Create a random workload identity pool. |
| 23 | # 2. Create a random OIDC provider in that pool which uses the |
| 24 | # accounts.google.com as the issuer and the default STS audience as the |
| 25 | # allowed audience. This audience will be validated on STS token exchange. |
| 26 | # 3. Enable OIDC tokens generated by the current service account to impersonate |
| 27 | # the service account. (Identified by the OIDC token sub field which is the |
| 28 | # service account client ID). |
| 29 | # 4. Create a random AWS provider in that pool which uses the provided AWS |
| 30 | # account ID. |
| 31 | # 5. Enable AWS provider to impersonate the service account. (Principal is |
| 32 | # identified by the AWS role name). |
| 33 | # 6. Print out the STS audience fields associated with the created providers |
| 34 | # after the setup completes successfully so that they can be used in the |
| 35 | # tests. These will be copied and used as the global _AUDIENCE_OIDC and |
| 36 | # _AUDIENCE_AWS constants in system_tests/system_tests_sync/test_external_accounts.py. |
| 37 | # |
| 38 | # It is safe to run the setup script again. A new pool is created and new |
| 39 | # audiences are printed. If run multiple times, it is advisable to delete |
| 40 | # unused pools. Note that deleted pools are soft deleted and may remain for |
| 41 | # a while before they are completely deleted. The old pool ID cannot be used |
| 42 | # in the meantime. |
| 43 | # |
| 44 | # For AWS tests, an AWS developer account is needed. |
| 45 | # The following AWS prerequisite setup is needed. |
| 46 | # 1. An OIDC Google identity provider needs to be created with the following: |
| 47 | # issuer: accounts.google.com |
| 48 | # audience: Use the client_id of the service account. |
| 49 | # 2. A role for OIDC web identity federation is needed with the created Google |
| 50 | # provider as a trusted entity: |
| 51 | # "accounts.google.com:aud": "$CLIENT_ID" |
| 52 | # The steps are documented at: |
| 53 | # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html |
| 54 | |
| 55 | suffix="" |
| 56 | |
| 57 | function generate_random_string () { |
| 58 | local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789 |
| 59 | for i in {1..8} ; do |
| 60 | suffix+="${valid_chars:RANDOM%${#valid_chars}:1}" |
| 61 | done |
| 62 | } |
| 63 | |
| 64 | generate_random_string |
| 65 | |
| 66 | pool_id="pool-"$suffix |
| 67 | oidc_provider_id="oidc-"$suffix |
| 68 | aws_provider_id="aws-"$suffix |
| 69 | |
| 70 | # TODO: Fill in. |
| 71 | project_id="stellar-day-254222" |
| 72 | project_number="79992041559" |
| 73 | aws_account_id="077071391996" |
| 74 | aws_role_name="ci-python-test" |
| 75 | service_account_email="kokoro@stellar-day-254222.iam.gserviceaccount.com" |
| 76 | sub="104692443208068386138" |
| 77 | |
| 78 | oidc_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$oidc_provider_id" |
| 79 | aws_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$aws_provider_id" |
| 80 | |
| 81 | gcloud config set project $project_id |
| 82 | |
| 83 | # Create the Workload Identity Pool. |
| 84 | gcloud beta iam workload-identity-pools create $pool_id \ |
| 85 | --location="global" \ |
| 86 | --description="Test pool" \ |
| 87 | --display-name="Test pool for Python" |
| 88 | |
| 89 | # Create the OIDC Provider. |
| 90 | gcloud beta iam workload-identity-pools providers create-oidc $oidc_provider_id \ |
| 91 | --workload-identity-pool=$pool_id \ |
| 92 | --issuer-uri="https://accounts.google.com" \ |
| 93 | --location="global" \ |
| 94 | --attribute-mapping="google.subject=assertion.sub" |
| 95 | |
| 96 | # Create the AWS Provider. |
| 97 | gcloud beta iam workload-identity-pools providers create-aws $aws_provider_id \ |
| 98 | --workload-identity-pool=$pool_id \ |
| 99 | --account-id=$aws_account_id \ |
| 100 | --location="global" |
| 101 | |
| 102 | # Give permission to impersonate the service account. |
| 103 | gcloud iam service-accounts add-iam-policy-binding $service_account_email \ |
| 104 | --role roles/iam.workloadIdentityUser \ |
| 105 | --member "principal://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/subject/$sub" |
| 106 | |
| 107 | gcloud iam service-accounts add-iam-policy-binding $service_account_email \ |
| 108 | --role roles/iam.workloadIdentityUser \ |
| 109 | --member "principalSet://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/attribute.aws_role/arn:aws:sts::$aws_account_id:assumed-role/$aws_role_name" |
| 110 | |
| 111 | echo "OIDC audience: "$oidc_aud |
| 112 | echo "AWS audience: "$aws_aud |
| Ryan Kohler | e383636 | 2021-04-14 11:14:41 -0400 | [diff] [blame^] | 113 | echo "AWS role: arn:aws:iam::$aws_account_id:role/$aws_role_name" |