Generate GCP access tokens from OIDC tokens
The GCP OIDC plugin generates a Google Cloud access token from your OIDC token and then stores the GCP token in the output variable GCLOUD_ACCESS_TOKEN. You can also configure the plugin to generate a credentials.json file and then use that file to authenticate and generate a token. You can use the GCLOUD_ACCESS_TOKEN output variable or credentials file in subsequent pipeline steps to control Google Cloud Services through API (cURL) or the gcloud CLI.
For general information about using plugins in CI pipelines, go to Explore plugins and Use Drone plugins.
Configure the GCP OIDC plugin
To use the GCP OIDC plugin, add a Plugin step to your CI pipeline. For example:
- step:
type: Plugin
name: generate-token
identifier: generate-token
spec:
connectorRef: account.harnessImage
image: plugins/gcp-oidc
settings:
project_id: 12345678
pool_id: 12345678
service_account_email_id: some-email@email.com
provider_id: service-account1
duration: 7200
create_application_credentials_file: false
To use the GCP OIDC plugin, configure the Plugin step settings as follows:
| Keys | Type | Description | Value example |
|---|---|---|---|
connectorRef | String | Select a Docker connector. Harness uses this connector to pull the plugin image. | account.harnessImage |
image | String | Enter plugins/gcp-oidc. You can specify an optional architecture tag. For a list of available tags, go to the GCP OIDC plugin README. | plugins/gcp-oidc:linux-amd64 |
project_id | String | Your GCP project ID. | 12345678 |
pool_id | String | The pool ID for OIDC authentication. | 12345678 |
provider_id | String | The provider ID for OIDC authentication. | service-account1 |
service_account_email_id | String | The service account's email address. | some-email@email.com |
duration | String | The generated access token's lifecycle duration in seconds. The default is 3600.The service account must have the iam.allowServiceAccountCredentialLifetimeExtension permission to set a custom duration. | 7200 |
create_application_credentials_file | Boolean | Set to true to generate application_default_credentials.json file.This file is an alternative way to generate the token by calling the credentials file. The default is false. | true |
You can use variable expressions for plugin settings. For example, registry_username: <+stage.variables.service_account> references a stage variable called SERVICE_ACCOUNT.
Use the GCP token
The GCP OIDC plugin outputs the GCP token to the variable GCLOUD_ACCESS_TOKEN. You can reference this output variable in subsequent pipeline steps to control Google Cloud Services through API (cURL) or the gcloud CLI.
To reference this variable, use an expression such as <+steps.STEP_ID.output.outputVariables.GCLOUD_ACCESS_TOKEN>. Replace STEP_ID with the ID of the GCP OIDC plugin step, such as <+steps.generate_gcp_token.output.outputVariables.GCLOUD_ACCESS_TOKEN>.
Here's a YAML example of a Plugin step generating a GCP token and a Run step using that token.
- step:
type: Plugin
name: generate-token
identifier: generate_token
spec:
connectorRef: account.harnessImage
image: plugins/gcp-oidc
settings:
project_id: 12345678
pool_id: 12345678
service_account_email_id: some-email@email.com
provider_id: service-account1
duration: 7200
create_application_credentials_file: false
- step:
type: Run
name: list compute engine zone
identifier: list_zones
spec:
shell: Sh
command: |-
curl -H "Authorization: Bearer <+steps.generate_token.output.outputVariables.GCLOUD_ACCESS_TOKEN>" \
"https://compute.googleapis.com/compute/v1/projects/my-cool-project/zones/some-zone/instances"
Get token from credentials file
If you set create_application_credentials_file to true, run the following commands to authenticate and get the access token using the credentials file:
gcloud auth login --brief --cred-file <+execution.steps.STEP_ID.output.outputVariables.GOOGLE_APPLICATION_CREDENTIALS>
gcloud config config-helper --format="json(credential)"
The first line authenticates and the second line generates the access token.