scripts/workloadidentityfederation-setup.sh - platform/external/google-auth-library-java - Git at Google

 #!/bin/bash

 # Copyright 2021 Google LLC
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
 # met:
 #
 #    * Redistributions of source code must retain the above copyright
 # notice, this list of conditions and the following disclaimer.
 #    * Redistributions in binary form must reproduce the above
 # copyright notice, this list of conditions and the following disclaimer
 # in the documentation and/or other materials provided with the
 # distribution.
 #    * Neither the name of Google LLC nor the names of its
 # contributors may be used to endorse or promote products derived from
 # this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 # This script is used to generate the project configurations needed to
 # end-to-end test workload identity pools in the Auth library, specifically
 # OIDC-based credentials and AWS credentials. This script only needs to be ran once.
 #
 # In order to run this script, the GOOGLE_APPLICATION_CREDENTIALS environment
 # variable needs to be set to point to a service account key file.
 # Additional fields must be provided in this file.
 # Detailed instructions are documented below.
 #
 # GCP project changes:
 # --------------------
 # The following IAM roles need to be set on the service account:
 # 1. IAM Workload Identity Pool Admin (needed to create resources for workload
 #    identity pools).
 # 2. Security Admin (needed to get and set IAM policies).
 # 3. Service Account Token Creator (needed to generate Google ID tokens and
 #    access tokens).
 #
 # The following APIs need to be enabled on the project:
 # 1. Identity and Access Management (IAM) API.
 # 2. IAM Service Account Credentials API.
 # 3. Cloud Resource Manager API.
 # 4. The API being accessed in the test, eg. DNS.
 #
 # AWS developer account changes:
 # ------------------------------
 # For testing AWS credentials, the following are needed:
 # 1. An AWS developer account is needed. The account ID will need to
 #    be provided in the configuration object below.
 # 2. A role for web identity federation. This will also need to be provided
 #    in the configuration object below.
 #    - An OIDC Google identity provider needs to be created with the following:
 #      issuer: accounts.google.com
 #      audience: Use the client_id of the service account.
 #    - A role for OIDC web identity federation is needed with the created
 #      Google provider as a trusted entity:
 #      "accounts.google.com:aud": "$CLIENT_ID"
 #    The role creation steps are documented at:
 #    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
 #
 # This script needs to be run once. It will do the following:
 # 1. Create a random workload identity pool.
 # 2. Create a random OIDC provider in that pool which uses the
 # 3. Enable OIDC tokens generated by the current service account to impersonate
 #    the service account. (Identified by the OIDC token sub field which is the
 #    service account client ID).
 # 4. Create a random AWS provider in that pool which uses the provided AWS
 #    account ID.
 # 5. Enable AWS provider to impersonate the service account. (Principal is
 #    identified by the AWS role name).
 # 6. Print out the STS audience fields associated with the created providers
 #    and AWS role name/arn after the setup completes successfully so that
 #    they can be used in the tests.
 #
 # The same service account used for this setup script should be used for
 # the test script.
 #
 # It is safe to run the setup script again. A new pool is created and new
 # audiences are printed. If run multiple times, it is advisable to delete
 # unused pools. Note that deleted pools are soft deleted and may remain for
 # a while before they are completely deleted. The old pool ID cannot be used
 # in the meantime.

 suffix=""

 function generate_random_string () {
   local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789
   for i in {1..8} ; do
     suffix+="${valid_chars:RANDOM%${#valid_chars}:1}"
     done
 }

 generate_random_string

 pool_id="pool-"${suffix}
 oidc_provider_id="oidc-"${suffix}
 aws_provider_id="aws-"${suffix}

 # Fill in.
 project_id=""
 project_number=""
 aws_account_id=""
 aws_role_name=""
 service_account_email=""
 sub=""; # client_id from service account key file

 oidc_aud="//iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/providers/${oidc_provider_id}"
 aws_aud="//iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/providers/${aws_provider_id}"

 gcloud config set project ${project_id}

 # Create the Workload Identity Pool.
 gcloud beta iam workload-identity-pools create ${pool_id} \
     --location="global" \
     --description="Test pool" \
     --display-name="Test pool for Java"

 # Create the OIDC Provider.
 gcloud beta iam workload-identity-pools providers create-oidc ${oidc_provider_id} \
     --workload-identity-pool=${pool_id} \
     --issuer-uri="https://accounts.google.com" \
     --location="global" \
     --attribute-mapping="google.subject=assertion.sub"

 # Create the AWS Provider.
 gcloud beta iam workload-identity-pools providers create-aws ${aws_provider_id} \
     --workload-identity-pool=${pool_id} \
     --account-id=${aws_account_id} \
     --location="global"

 # Give permission to impersonate the service account.
 gcloud iam service-accounts add-iam-policy-binding ${service_account_email} \
 --role roles/iam.workloadIdentityUser \
 --member "principal://iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/subject/${sub}"

 gcloud iam service-accounts add-iam-policy-binding ${service_account_email} \
   --role roles/iam.workloadIdentityUser \
   --member "principalSet://iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/attribute.aws_role/arn:aws:sts::${aws_account_id}:assumed-role/${aws_role_name}"

 echo "OIDC audience:"${oidc_aud}
 echo "AWS audience:"${aws_aud}
 echo "AWS role name:"${aws_role_name}
 echo "AWS role ARN: arn:aws:iam::${aws_account_id}:role/${aws_role_name}"
	#!/bin/bash

	# Copyright 2021 Google LLC
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions are
	# met:
	#
	# * Redistributions of source code must retain the above copyright
	# notice, this list of conditions and the following disclaimer.
	# * Redistributions in binary form must reproduce the above
	# copyright notice, this list of conditions and the following disclaimer
	# in the documentation and/or other materials provided with the
	# distribution.
	# * Neither the name of Google LLC nor the names of its
	# contributors may be used to endorse or promote products derived from
	# this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
	# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
	# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
	# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
	# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
	# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

	# This script is used to generate the project configurations needed to
	# end-to-end test workload identity pools in the Auth library, specifically
	# OIDC-based credentials and AWS credentials. This script only needs to be ran once.
	#
	# In order to run this script, the GOOGLE_APPLICATION_CREDENTIALS environment
	# variable needs to be set to point to a service account key file.
	# Additional fields must be provided in this file.
	# Detailed instructions are documented below.
	#
	# GCP project changes:
	# --------------------
	# The following IAM roles need to be set on the service account:
	# 1. IAM Workload Identity Pool Admin (needed to create resources for workload
	# identity pools).
	# 2. Security Admin (needed to get and set IAM policies).
	# 3. Service Account Token Creator (needed to generate Google ID tokens and
	# access tokens).
	#
	# The following APIs need to be enabled on the project:
	# 1. Identity and Access Management (IAM) API.
	# 2. IAM Service Account Credentials API.
	# 3. Cloud Resource Manager API.
	# 4. The API being accessed in the test, eg. DNS.
	#
	# AWS developer account changes:
	# ------------------------------
	# For testing AWS credentials, the following are needed:
	# 1. An AWS developer account is needed. The account ID will need to
	# be provided in the configuration object below.
	# 2. A role for web identity federation. This will also need to be provided
	# in the configuration object below.
	# - An OIDC Google identity provider needs to be created with the following:
	# issuer: accounts.google.com
	# audience: Use the client_id of the service account.
	# - A role for OIDC web identity federation is needed with the created
	# Google provider as a trusted entity:
	# "accounts.google.com:aud": "$CLIENT_ID"
	# The role creation steps are documented at:
	# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
	#
	# This script needs to be run once. It will do the following:
	# 1. Create a random workload identity pool.
	# 2. Create a random OIDC provider in that pool which uses the
	# 3. Enable OIDC tokens generated by the current service account to impersonate
	# the service account. (Identified by the OIDC token sub field which is the
	# service account client ID).
	# 4. Create a random AWS provider in that pool which uses the provided AWS
	# account ID.
	# 5. Enable AWS provider to impersonate the service account. (Principal is
	# identified by the AWS role name).
	# 6. Print out the STS audience fields associated with the created providers
	# and AWS role name/arn after the setup completes successfully so that
	# they can be used in the tests.
	#
	# The same service account used for this setup script should be used for
	# the test script.
	#
	# It is safe to run the setup script again. A new pool is created and new
	# audiences are printed. If run multiple times, it is advisable to delete
	# unused pools. Note that deleted pools are soft deleted and may remain for
	# a while before they are completely deleted. The old pool ID cannot be used
	# in the meantime.

	suffix=""

	function generate_random_string () {
	local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789
	for i in {1..8} ; do
	suffix+="${valid_chars:RANDOM%${#valid_chars}:1}"
	done
	}

	generate_random_string

	pool_id="pool-"${suffix}
	oidc_provider_id="oidc-"${suffix}
	aws_provider_id="aws-"${suffix}

	# Fill in.
	project_id=""
	project_number=""
	aws_account_id=""
	aws_role_name=""
	service_account_email=""
	sub=""; # client_id from service account key file

	oidc_aud="//iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/providers/${oidc_provider_id}"
	aws_aud="//iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/providers/${aws_provider_id}"

	gcloud config set project ${project_id}

	# Create the Workload Identity Pool.
	gcloud beta iam workload-identity-pools create ${pool_id} \
	--location="global" \
	--description="Test pool" \
	--display-name="Test pool for Java"

	# Create the OIDC Provider.
	gcloud beta iam workload-identity-pools providers create-oidc ${oidc_provider_id} \
	--workload-identity-pool=${pool_id} \
	--issuer-uri="https://accounts.google.com" \
	--location="global" \
	--attribute-mapping="google.subject=assertion.sub"

	# Create the AWS Provider.
	gcloud beta iam workload-identity-pools providers create-aws ${aws_provider_id} \
	--workload-identity-pool=${pool_id} \
	--account-id=${aws_account_id} \
	--location="global"

	# Give permission to impersonate the service account.
	gcloud iam service-accounts add-iam-policy-binding ${service_account_email} \
	--role roles/iam.workloadIdentityUser \
	--member "principal://iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/subject/${sub}"

	gcloud iam service-accounts add-iam-policy-binding ${service_account_email} \
	--role roles/iam.workloadIdentityUser \
	--member "principalSet://iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/attribute.aws_role/arn:aws:sts::${aws_account_id}:assumed-role/${aws_role_name}"

	echo "OIDC audience:"${oidc_aud}
	echo "AWS audience:"${aws_aud}
	echo "AWS role name:"${aws_role_name}
	echo "AWS role ARN: arn:aws:iam::${aws_account_id}:role/${aws_role_name}"