Install Self-Hosted
Get Started on Cloud
BasicsPipelinesActions & ServicesIntegrationsSelf-HostedYAMLBuddy GitTroubleshootingAPI

OIDC for GCP

What is OIDC GCP?

OIDC is a protocol and the best practice for secure authentication in GCP services.

Buddy supports OIDC and SSO login for Google cloud services integration, providing you with secure access management.

The following guide will walk you through the steps for setting up OIDC for your CI/CD pipelines.

Success
Learn how to configure OIDC claims in an Open ID token.
Hint
Configure OIDC for SSO workspace authentication.

OIDC provider configuration

  1. Sign to your Google Cloud Console and go to IAM & Admin.
  2. Switch to Workload Identity Federation and click +Create Pool:

Image loading...

  1. Enter the name and description and click Continue.

  2. Switch the provider type to OpenID Connect (OIDC) and fill in the details:

    • Provider name → e.g. Buddy
    • Provider URLhttps://oidc.buddyusercontent.com (US accounts) or https://eu-oidc.buddyusercontent.com (EU accounts)

Image loading...

  1. Copy the audience URL and click Continue.
  2. Map the subject attribute to assertion.sub and the audience attribute to assertion.aud and click Save to proceed.

Image loading...

Hint
You can ignore the conditions for now – we shall configure them later upon adding the integration in Buddy.

  1. Once added, click +Grant access and define the service account and principals for your pool.

  2. When a pop-up appears, select the Service account. Then choose 'audience' in Principals, provide the value copied in point 5 and click Save:

Image loading...

  1. A window will appear from which you can download the configuration file to client libraries. Set the provider to the one created earlier and fill in the details:

    • OIDC ID token path/buddy
    • Format type → text

Image loading...

  1. Download the config file to finish.

Buddy configuration

  1. Sign in to your Buddy account and go to Integrations.
  2. Click New integration and select Google Cloud.

  3. Define the integration details:

    • enter the name and define the sharing scope
    • switch the authorization method to OIDC
    • enter the name of the project
    • upload the JSON file as the Client Library Config
    • paste the audience copied from the OIDC provider

Image loading...

  1. Click the button to finish configuration.

Restricting provider to integration

Warning
To ensure that your OIDC provider is restricted exclusively to this integration, you must define additional conditions for it.

To restrict the provider to this integration, follow the next steps:

  1. Go to the created integration in Buddy and copy the Subject.
  2. Switch back to Google and go to Workload Identity Federation.
  3. Expand the pool that you configured beforehand, and click edit by the provider's name.

Image loading...

  1. Add the following attribute condition:

    • google.subject == GOOGLE_INTEGRATION_SUBJECT

Image loading...

  1. Click Save to finish.

Narrowing restrictions

Hint
The mappings and conditions below are just an example of the configuration process. Make sure to properly adjust the attributes according to your safety requirements and update the placeholders with actual values (e.g. swap REF_NAME to master).

You can add more conditions if required. For example, if you want to restrict the integration to pipeline runs executed for the main branch in a specific project, you must map additional attributes for claims described in the OpenID claims.

Mappings:

  • attribute.repoassertion.PROJECT_NAME
  • attribute.branchassertion.REF_NAME

Conditions:

google.subject == GOOGLE_INTEGRATION_SUBJECT &&
attribute.repo == PROJECT_NAME &&
attribute.branch == REF_NAME &&

Image loading...

Once the integration configuration has been completed, you can begin to deploy software with CI/CD pipelines in Buddy and Google services.

Last modified on Sep 23, 2024

Previous pageRequired policiesNext pageHeroku