Learn how workload identity pools and providers are used for GitLab authentication to Google services without the use of service account keys.
This document is useful for platform administrators who want to adhere to best practices and make sure that GitLab processes use Google Cloud services securely.
To get started with the GitLab on Google Cloud integration, see the GitLab tutorial Set up GitLab on Google Cloud integration.
Why identity federation?
Traditionally, applications running outside Google Cloud can use service account keys to access Google Cloud resources. However, service account keys are powerful credentials, and can present a security risk if they are not managed correctly.
With identity federation, you can use Identity and Access Management (IAM) to grant external identities IAM roles directly, without requiring service accounts. This approach eliminates the maintenance and security burden associated with service accounts and their keys.
Workload identity pools
A workload identity pool is an entity that lets you manage external identities.
The GitLab on Google Cloud integration walks you through setting up a workload identity pool in order to authenticate to Google Cloud. This setup includes mapping your GitLab role attributes to Identity and Access Management (IAM) claims in your Google Cloud IAM policy. For a full list of available GitLab attributes for the GitLab on Google Cloud integration, see OIDC custom claims in the GitLab documentation.
Workload identity pool providers
A workload identity pool provider is an entity that describes a relationship between Google Cloud and your Identity provider (IdP). GitLab is the IdP for your workload identity pool for the GitLab on Google Cloud integration.
For more information on identity federation for external workloads, see Workload identity federation.
The default GitLab on Google Cloud integration assumes you want to set up your authentication from GitLab to Google Cloud at the GitLab organization level. If you want to control access to Google Cloud on a per project basis, you must configure your IAM policies for your workload identity pool provider. For more information on controlling who can access Google Cloud from your GitLab organization, see Access control with IAM.
GitLab authentication with Workload identity federation
After your workload identity pool and provider are set up to map your GitLab
roles and permissions to IAM roles, users can provision runners
to deploy workloads from GitLab to Google Cloud by setting the
identity keyword to
google_cloud for authorization on Google Cloud.
For more information on provisioning runners using the GitLab on Google Cloud integration, see the GitLab tutorial Provisioning runners in Google Cloud.