Add workload identity federation docs #160
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
asatwal
force-pushed
the
add-workload-identity-federation-docs
branch
from
1e155b8 to
b8d92fa
Compare
ericaporter
reviewed
Aug 13, 2024
| 1. Access the `development` service account you previously set up | ||
| 1. Go to the keys tab, click on "Add key" > "Create new key" | ||
| 1. Create a JSON private key. This file will be downloaded to your local system. | ||
| Set the following environment variables for your Rails app. | ||
|
|
ericaporter
reviewed
Aug 13, 2024
| ### 3. BigQuery authentication method | ||
|
|
||
| ### 3.1 Workload Identity Federation | ||
|
|
ericaporter
reviewed
Aug 13, 2024
docs/google_cloud_bigquery_setup.md
Outdated
| top right. | ||
| 2. Click "ADD PRINCIPAL". | ||
| 3. Paste in the email address of the service account you created into the "New | ||
| principals" box. | ||
| 4. Select the "BigQuery Appender Custom" role you created previously. | ||
| 5. Click "SAVE" to finish. | ||
|
|
||
|
|
There was a problem hiding this comment.
Extra line (unless this follows formatting pattern)
ericaporter
reviewed
Aug 13, 2024
docs/google_cloud_bigquery_setup.md
Outdated
|
|
||
| ![[azure-gcp-wif.svg]] | ||
|
|
||
|
|
There was a problem hiding this comment.
Extra line (unless this follows formatting pattern)
ericaporter
reviewed
Aug 13, 2024
| `AZURE_CLIENT_ID` | ||
| `AZURE_FEDERATED_TOKEN_FILE` | ||
|
|
||
|
|
There was a problem hiding this comment.
Extra line (unless this follows formatting pattern)
ericaporter
reviewed
Aug 13, 2024
docs/google_cloud_bigquery_setup.md
Outdated
|
|
||
| The service account defined in step 4 above should be granted access using service account impersonation. | ||
|
|
||
| If this does not exist then access can be granted with either the [update wif service account permissions ](https://github.com/DFE-Digital/teacher-services-analytics-cloud/blob/main/scripts/gcloud/update-wif-service-account-permissions.sh) gcloud script or from the [IAM](https://console.cloud.google.com/iam-admin/workload-identity-pools/pool/azure-cip-identity-pool) gcloud console, by navigating to the "GRANT ACCESS" window. Use the attributes specified in the gcloud script. Note that the subject must be set to the Managed Identity Object ID from azure for each environment (see Step 1 above). |
stevenleggdfe
requested changes
Aug 15, 2024
README.md
Outdated
|
|
||
| #### 3.1 Workload Identity Federation | ||
|
|
||
| We recommend using Workload identity federation as your authentication method as detailed in the [Workload Identity Federation Setup](docs/google_cloud_bigquery_setup.md#workload-identity-federation-setup) guide. |
There was a problem hiding this comment.
@asatwal worth saying why briefly? e.g. 'to avoid security risks associated with use of long-lived JSON keys' or something?
docs/google_cloud_bigquery_setup.md
Outdated
|
|
||
| With DfE::Analytics our strong preference is to use WIF where possible. Where WIF is not possible to use then OAuth should be considered. The use of service account API Keys is discouraged. | ||
|
|
||
| The diagram below demonstrates our use of WIF within DfE Analytics connecting from an Azure client to BigQuery. |
There was a problem hiding this comment.
"with dfe-analytics" instead of "within DfE Analytics" to be precise?
docs/google_cloud_bigquery_setup.md
Outdated
| `AZURE_CLIENT_ID` | ||
| `AZURE_FEDERATED_TOKEN_FILE` | ||
|
|
||
| Within Azure a managed identity will also exist for each namespace. The managed identity will have the text `gcp-wif` within it's name. |
docs/google_cloud_bigquery_setup.md
Outdated
|
|
||
| Within Azure a managed identity will also exist for each namespace. The managed identity will have the text `gcp-wif` within it's name. | ||
|
|
||
| Please note the Managed Identity Object ID for each namespace (environment). This is a uuid that will be required in later steps below. |
There was a problem hiding this comment.
'take note of' rather than 'note'? 'note' to me implies something I need to read not an ID I need to copy
docs/google_cloud_bigquery_setup.md
Outdated
|
|
||
| ### 3. Workload identity pool provider | ||
|
|
||
| For each project a workload identity pool with the name `azure-cip-oidc-provider` should exist. |
docs/google_cloud_bigquery_setup.md
Outdated
|
|
||
| `GOOGLE_CLOUD_CREDENTIALS` | ||
|
|
||
| Download the JSON WIF Credentials file either the [create wif client credentials](https://github.com/DFE-Digital/teacher-services-analytics-cloud/blob/main/scripts/gcloud/create-wif-client-credentials.sh) gcloud script or from the [IAM](https://console.cloud.google.com/iam-admin/workload-identity-pools/pool/azure-cip-identity-pool) gcloud console, by navigating to the "CONNECTED SERVICE ACCOUNTS" tab. Use the the attributes specified in the gcloud script. |
There was a problem hiding this comment.
Missing a word or two in this sentence I think
stevenleggdfe
approved these changes
Aug 16, 2024
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
Add workload identity federation documentation to allow teams to setup on their own projects.
Trello tickets:
https://trello.com/c/F7WrGYYq
Changes proposed in this pull request
Documentation only with full WIF instructions.