Workload Identity Federation to integrate Terraform Cloud with GCP

Due to the Organisation policy, we are not allowed to download the GCP Service Account keys. So I wonder how could we integrate Terraform Cloud with Google Cloud Platform. Is WIF an option?

1 Like

I have submitted this as feature request a while ago. It would be amazing to have this. Much better security.

Please Terraform Cloud team put this on the road map.

With the absence of native oidc support within Terraform Cloud the only options are:

  1. TFC Remote Agents on GKE / GCE
  2. Hashicorp Vault integration so TFC fetches oauth2 token on each run

ICYMI - workload identity support was announced at HashiConf Global, but there’s not much in the way of docs yet. My understanding is that they are still working on the experience, but you can use it today. Each workspace run gets a JWT, accessible from the environment variable TFC_WORKLOAD_IDENTITY_TOKEN. The audience is configurable by setting the TFC_WORKLOAD_IDENTITY_AUDIENCE environment variable.

I’ve put together an example using the Vault provider. I’m using the environment provider to access the JWT, which is kind of a kludge, but it works. As I said, I think they are working on enhancing the experience. You should be able to get this working with GCP, Azure, or AWS.

I do not know what level of support you’ll get from HashiCorp, since this is an undocumented feature. So use at your own risk!

1 Like

As an update, we now have public documentation available on workload identity, as well as what we’re calling “Dynamic Provider Credentials,” which is a nicer way of working with workload identity for commonly used providers.

Folks in this thread may enjoy perusing the overview as well as the GCP-specific documentation.