amasucci · January 29, 2024 17:58
diff --git a/config-gh-and-gcp.sh b/config-gh-and-gcp.sh
 export PROJECT_ID="INSERT-PROJECT-ID"
 export PROJECT_NUMBER="INSERT-PROJECT-NUMBER"
 export DEV_BUCKET="INSERT-DEV-BUCKET-NAME"
 export PRD_BUCKET="INSERT-PRD-BUCKET-NAME"

 gcloud storage buckets create gs://$DEV_BUCKET --project=$PROJECT_ID --default-storage-class=STANDARD --location=EUROPE-WEST1 --uniform-bucket-level-access

 gcloud storage buckets create gs://$PRD_BUCKET --project=$PROJECT_ID --default-storage-class=STANDARD --location=EUROPE-WEST1 --uniform-bucket-level-access

 gcloud iam workload-identity-pools create github \
    --project=$PROJECT_ID \
    --location="global" \
    --description="GitHub pool" \
    --display-name="GitHub pool"

 gcloud iam workload-identity-pools providers create-oidc "github" \
  --project="${PROJECT_ID}" \
  --location="global" \
  --workload-identity-pool="github" \
  --display-name="GitHub provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.workflow_ref=assertion.job_workflow_ref,attribute.event_name=assertion.event_name" \
  --issuer-uri="https://token.actions.githubusercontent.com"

 gcloud iam service-accounts create bucket-dev \
    --project=$PROJECT_ID \
    --description="SA with access to the DEV Bucket" \
    --display-name="Bucket Reader DEV"

 gcloud iam service-accounts create bucket-prd \
    --project=$PROJECT_ID \
    --description="SA with access to the PRD Bucket" \
    --display-name="Bucket Reader PRD"

 gcloud storage buckets add-iam-policy-binding gs://${DEV_BUCKET} \
  --member=serviceAccount:bucket-dev@${PROJECT_ID}.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer

 gcloud storage buckets add-iam-policy-binding gs://${PRD_BUCKET} \
  --member=serviceAccount:bucket-prd@${PROJECT_ID}.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer

 gcloud iam service-accounts add-iam-policy-binding "bucket-dev@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/github/attribute.event_name/pull_request"


 gcloud iam service-accounts add-iam-policy-binding "bucket-prd@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/github/attribute.workflow_ref/outofdevops/workload-identity-federation/.github/workflows/multi-id.yaml@refs/heads/main"
diff --git a/multi-id.yaml b/multi-id.yaml
 name: Multiple GCP identity Demo
 on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

 jobs:
  multi-identity:
    permissions:
      contents: 'read'
      id-token: 'write'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - id: 'devAuth'
        if: github.ref != 'refs/heads/main'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/[email protected]'
        with:
          workload_identity_provider: 'projects/32549352397/locations/global/workloadIdentityPools/github/providers/github'
          service_account: '[email protected]'

      - id: 'prdAuth'
        if: github.ref == 'refs/heads/main'
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/[email protected]'
        with:
          workload_identity_provider: 'projects/32549352397/locations/global/workloadIdentityPools/github/providers/github'
          service_account: '[email protected]'

      # Install gcloud, automatically picks up authentication from auth.
      - name: 'Set up Cloud SDK'
        uses: 'google-github-actions/setup-gcloud@v1'

      - id: listDevBucket
        name: List Content of DevBucket
        #if: github.event_name == 'pull_request'
        run: gcloud storage ls gs://dev-storage-2023
        continue-on-error: true

      - id: listPrdBucket
        name: List Content of PrdBucket
        #if: github.ref == 'refs/heads/main' && github.event_name == 'push'
        run: gcloud storage ls gs://prd-storage-2023
        continue-on-error: true
	export PROJECT_ID="INSERT-PROJECT-ID"
	export PROJECT_NUMBER="INSERT-PROJECT-NUMBER"
	export DEV_BUCKET="INSERT-DEV-BUCKET-NAME"
	export PRD_BUCKET="INSERT-PRD-BUCKET-NAME"

	gcloud storage buckets create gs://$DEV_BUCKET --project=$PROJECT_ID --default-storage-class=STANDARD --location=EUROPE-WEST1 --uniform-bucket-level-access

	gcloud storage buckets create gs://$PRD_BUCKET --project=$PROJECT_ID --default-storage-class=STANDARD --location=EUROPE-WEST1 --uniform-bucket-level-access

	gcloud iam workload-identity-pools create github \
	--project=$PROJECT_ID \
	--location="global" \
	--description="GitHub pool" \
	--display-name="GitHub pool"

	gcloud iam workload-identity-pools providers create-oidc "github" \
	--project="${PROJECT_ID}" \
	--location="global" \
	--workload-identity-pool="github" \
	--display-name="GitHub provider" \
	--attribute-mapping="google.subject=assertion.sub,attribute.workflow_ref=assertion.job_workflow_ref,attribute.event_name=assertion.event_name" \
	--issuer-uri="https://token.actions.githubusercontent.com"

	gcloud iam service-accounts create bucket-dev \
	--project=$PROJECT_ID \
	--description="SA with access to the DEV Bucket" \
	--display-name="Bucket Reader DEV"

	gcloud iam service-accounts create bucket-prd \
	--project=$PROJECT_ID \
	--description="SA with access to the PRD Bucket" \
	--display-name="Bucket Reader PRD"

	gcloud storage buckets add-iam-policy-binding gs://${DEV_BUCKET} \
	--member=serviceAccount:bucket-dev@${PROJECT_ID}.iam.gserviceaccount.com \
	--role=roles/storage.objectViewer

	gcloud storage buckets add-iam-policy-binding gs://${PRD_BUCKET} \
	--member=serviceAccount:bucket-prd@${PROJECT_ID}.iam.gserviceaccount.com \
	--role=roles/storage.objectViewer

	gcloud iam service-accounts add-iam-policy-binding "bucket-dev@${PROJECT_ID}.iam.gserviceaccount.com" \
	--project="${PROJECT_ID}" \
	--role="roles/iam.workloadIdentityUser" \
	--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/github/attribute.event_name/pull_request"


	gcloud iam service-accounts add-iam-policy-binding "bucket-prd@${PROJECT_ID}.iam.gserviceaccount.com" \
	--project="${PROJECT_ID}" \
	--role="roles/iam.workloadIdentityUser" \
	--member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/github/attribute.workflow_ref/outofdevops/workload-identity-federation/.github/workflows/multi-id.yaml@refs/heads/main"
	name: Multiple GCP identity Demo
	on:
	push:
	branches: [ "main" ]
	pull_request:
	branches: [ "main" ]

	jobs:
	multi-identity:
	permissions:
	contents: 'read'
	id-token: 'write'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	- id: 'devAuth'
	if: github.ref != 'refs/heads/main'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/[email protected]'
	with:
	workload_identity_provider: 'projects/32549352397/locations/global/workloadIdentityPools/github/providers/github'
	service_account: '[email protected]'

	- id: 'prdAuth'
	if: github.ref == 'refs/heads/main'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/[email protected]'
	with:
	workload_identity_provider: 'projects/32549352397/locations/global/workloadIdentityPools/github/providers/github'
	service_account: '[email protected]'

	# Install gcloud, automatically picks up authentication from auth.
	- name: 'Set up Cloud SDK'
	uses: 'google-github-actions/setup-gcloud@v1'

	- id: listDevBucket
	name: List Content of DevBucket
	#if: github.event_name == 'pull_request'
	run: gcloud storage ls gs://dev-storage-2023
	continue-on-error: true

	- id: listPrdBucket
	name: List Content of PrdBucket
	#if: github.ref == 'refs/heads/main' && github.event_name == 'push'
	run: gcloud storage ls gs://prd-storage-2023
	continue-on-error: true