Setup Federation for GCP
This module provisions IAM resources in GCP for Kosmos to authenticate via OIDC and create GKE clusters. It includes:
- A Service Account for Kosmos to impersonate using its OIDC token.
- The required IAM roles attached to the service account.
- (Optional) A Workload Identity Pool and Provider if an existing one does not exist.
Variables
Required Variables
| Variable | Description |
|---|---|
oidc_issuer_uri | (Required) Issuer URL of the OIDC provider for creating the workload identity provider in GCP. |
oidc_client_id | (Required) Client ID of the OIDC provider for creating the workload identity provider in GCP. |
gke_project_id | (Required) GCP Project ID where the workload identity pool resides and where new Kosmos-managed GKE clusters will be created. |
fleet_name | (Required) Name of the Kosmos fleet. Used as a resource identifier and for subject matching in tokens. |
Optional Variables
| Variable | Description | Default Value |
|---|---|---|
service_account_name_prefix | Prefix for the service account created in this module. | kosmos-operator |
workload_identity_pool_name | Required if create_pool is false. Name of the workload identity pool or prefix if creating one. | kosmos-pool |
workload_identity_provider_name | Required if create_pool is false. Name of the workload identity provider or prefix if creating one. | kosmos-prov |
create_pool | Whether to create a workload identity pool and provider. | false |
Outputs
| Output Variable | Description |
|---|---|
workload_identity_pool_id | Workload identity pool that contains the Kosmos OIDC provider entry. |
workload_identity_pool_provider_id | Workload identity provider created within the pool for Kosmos OIDC. |
service_account_email | Email of the newly created service account for Kosmos to impersonate when creating GKE clusters. |
Example Usage
1. Create a New OIDC Provider Entry
module "kosmos-oidc-role-srin-project-abc" {
source = "../kosmos-gcp-credentials-module"
gke_project_id = "kosmos-dev"
fleet_name = "srin-project-abc" # MUST MATCH THE FLEET NAME IN KOSMOS!
oidc_issuer_uri = "https://console.kosmos.spcplatform.com/kosmos-oidc"
oidc_client_id = "kosmos-operator"
}
2. Using HTTPS to Fetch the Module from an S3 Bucket
Note:
- The bucket is accessible only from a specific office network. You can get the module [over HTTPS}(https://developer.hashicorp.com/terraform/language/modules/configuration#fetching-archives-over-http) without providing any credentials
- If using S3 directly, the module is stored as a
.tar.gzarchive in thesrin-s3-terraform-modulesbucket in theap-southeast-1region. The source would appear like this = “s3::https://s3.ap-southeast-1.amazonaws.com/srin-s3-terraform-modules/kosmos-gcp-identity-v1.0.0.tar.gz” - For authentication details, refer to Terraform Docs .
module "kosmos-oidc-role-srin-project-abc" {
source = "https://srin-s3-terraform-modules.s3.ap-southeast-1.amazonaws.com/kosmos-gcp-identity-v1.0.0.tar.gz"
gke_project_id = "kosmos-dev"
fleet_name = "srin-project-abc" # MUST MATCH THE FLEET NAME IN KOSMOS!
oidc_issuer_uri = "https://console.kosmos.spcplatform.com/kosmos-oidc"
oidc_client_id = "kosmos-operator"
create_pool = false
workload_identity_pool_name = "kosmospool"
workload_identity_provider_name = "kosmosprovider"
}
Download Resources
For complete examples and the latest updates, refer to:
Setup federation using CLI
For Federation using CLI instructions, please refer to GKE create and Import documentation