The Google Cloud IAM integration using workload identity pools works great. We are able to manage our infrastructure fully in GCP using OpenTofu in GitLab.
However, I am missing one feature that perhaps others have found a workaround for: It does not seem possible today to link one GitLab project to many GCP projects.
Why do I say this? The configuration of the Google Cloud IAM integration requires you to enter the GCP project ID that you are authenticating against.
If it were possible to specify multiple GCP projects, we would be able to use GitLab environments, to manage a test and production branch so that changes can first be deployed and tested before being merged to production.
How are others doing testing before going to production with their OpenTofu or Terraform pipelines when deploying to GCP? The only way I could see this working is using multiple GitLab projects.
2 Likes
Did you ever figure this out?
Afraid not no, seems it is a hard limit. I will submit a feature request and refer to this discussions.
please post a link to upvote!
It seems like the only way to authenticate to multiple google cloud environments is using environment variables… Did you figure out a workaround to deploy to different environments?
It seems I should be able to download a credential configuration file for the workload identity pool and store that in an environment variable that I can use to authenticate to the environment I want. However, I can’t seem to determine what the correct OIDC ID token path is in the gitlab environment. I will post back if I figure out a way to authenticate to different projects.
I’m surprised there is not more discussion about this. Separating environments by project is recommended to isolate production from staging and development. This seems to be a necessary requirement to deploy to Google Cloud.
Once Workload Identity Pool is set up similar to defined in the Google IAM Integration, you can use Gitlab provided CI templates to handle OIDC authentication directly, allowing you to manage connections via environment variable. Gitlab tutorials are defined here and here.
There were some differences in configuration but they aren’t too tricky to figure out. The issuer URI for the provider is just https://gitlab.com. It sets the application default credentials as the provided service account so it is a bit more convenient than the integration in my opinion. Could create a terraform file for the pool definitions and permissions. Make sure the service account variable is defined correctly because I missed a quote and it kept running as some other default service account instead of erroring lol.
Just to follow up in case anyone comes across this later…
I’ve taken a route of using the Terraform GCP Bootstrap to create a seed project which I use to generate other project environments. You can find an overly complicated example here.
Essentially, I’ve created a folder in which I’ve created a seed project with my identity pool set up. I bind that identity pool to a service account which I grant privileges to at the folder level. That single service account can then be authenticated to from Gitlab via OIDC and has access to create projects within the folder and inherits any fodler level privileges in the projects themselves. nifty 
lol this is not spam, i was linking to gitlab tutorials on how to authenticate via configuration