GCP Service Account to AWS IAM Role

This repo contains code that accompanies the blog post on using GCP Service Accounts to acquire AWS IAM Role credentials.

Preparation

1. Create the GCP Service Account
2. Get the Service Account numeric Client ID

Creating the stack

1. Acquire AWS credentials with rights to manage IAM Identity Providers, Lambda functions, and IAM Roles.

2. Build the rendered template and create the stack:

   CLIENT_ID=<service-account-client-id> make deploy

3. Copy the ARN of the role from the Outputs of the stack

Acquiring Credentials

1. Create an Ubuntu VM in GCP, and associate the Service Account you created above with it

2. Log in to that VM

3. Install pre-requisites:

   apt-get update && apt-get install -y python3-pip

4. Download this repo onto that system:

   curl -L -o gcp-to-aws.zip https://github.com/cevoaustralia/gcp-sa-to-aws-iam-role/archive/master.zip

5. Unpack the repo:

   unzip gcp-to-aws.zip

6. Install the dependencies:

   cd gcp-sa-to-aws-iam-role-master/gcp
   pip3 install -r requirements.txt

7. Run the script with the ARN of the IAM Role created by the stack (above) as the argument:

   ./get_aws_creds.py arn:aws:iam::123456789012:role/DeploymentRole

8. Validate that your VM now has AWS credentials:

   aws sts get-caller-identity

9. Profit!