Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds the required field spec.projectID for ProviderConfig creation … #320

Merged
merged 2 commits into from
Jun 15, 2023
Merged

Adds the required field spec.projectID for ProviderConfig creation … #320

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7a4be54
Adds the required field `spec.projectID` for ProviderConfig creation …
jastang Jun 14, 2023
0302fdc
Proactive update to OIDC configuration documentation
jastang Jun 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions package/auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ sources:
ref: spec.credentials.secretRef
showFields:
- spec.credentials.secretRef
- spec.projectID
Copy link
Contributor Author

@jastang jastang Jun 15, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ulucinar @sergenyalcin for context, this and L93 is the core fix.

Everything else is a quick refresh of the configurable documentation in that this enables in the Console - I acknowledge that the content is not optimal, but addresses some gaps in the OIDC configuration process for the user which we will iterate on.

- name: Upbound
docs: |
# OpenID Connect (OIDC)
Expand All @@ -54,7 +55,7 @@ sources:
1. Select **Add a provider to pool** and then select **OpenID Connect (OIDC)** with the following details.
```
Provider Name: upbound-oidc-provider
Provider ID: upbound-oidc-provider-id
Provider ID: upbound-oidc-provider (by default, this will be the same as the provider name)
Issuer (URL): https://proidc.upbound.io
```
2. Select **Allowed audiences** and add `sts.googleapis.com` for **Audience 1**.
Expand All @@ -70,8 +71,23 @@ sources:
```
google.subject.contains("mcp:<ORGANIZATION_NAME>")
```

## Create and grant access to service account

To access GCP resources, pool identities will need to be granted access to a service account.
The service account email will be used to create the ProviderConfig.

Create the service account by following the steps in [Create a GCP Service Account](https://docs.upbound.io/quickstart/gcp-deploy/#create-a-gcp-service-account).

To add the service account to the Workload Identity pool:

1. Return to the Workload Identity Federation page and select your pool.
2. Near the top of the page select Grant Access.
3. Select the new service account, upbound-service-account.
4. Under Select principals use All identities in the pool.

See the [Upbound documentation](https://docs.upbound.io/quickstart/gcp-deploy/#connect-to-gcp-with-oidc)
for more information on configuring OIDC with Upbound and GCP.
showFields:
- spec.credentials.upbound
- spec.credentials.upbound
- spec.projectID