AWX, Workload Identity Federation & GCP

iamroddo · November 9, 2024, 7:39pm

I’m looking for a solution to enable AWX to authenticate against GCP keylessly. I’ve seen implementations of such using GitHub Actions and Jenkins which use Workload Identity Federation. To the best of my understanding, a trust relationship is setup between a local entity that is able to impersonate a GCP service account and issue tokens on behalf of it that are valid in GCP. I don’t think such a feature exists in AWX. If it were, I suppose it would be based around a new credential type which would inject a GCP token into a job.

I could sort of do this using a GCP secrets engine in Hashicorp Vault to generate the token and a Hashicorp Vault Secret Lookup to read the generated token from Vault. However the GCP secret in Hashicorp Vault requires a GCP key and the Hashicorp Vault Secret Lookup in AWX requires a client ID and client secret. All of which is potentially vulnerable to exfiltration and needs to be regularly rotated.

chrismeyersfsu · November 16, 2024, 12:53pm

Interesting. This has led me to begin reading about “Workload Identity Federation”. Do you agree that Service Account Key JSON" is not what you are looking for?

I’m going to try and read more about #1 and #2

edit:
Autenticar cargas de trabalho nas APIs do Google Cloud usando contas de serviço | Compute Engine Documentation If you are staying in GCP, I think this is all you need.

Topic		Replies	Views
How to use GCP service account for ssh authentication in AWX Get Help awx , ansible-core , gcp	0	224	January 11, 2024
AWX + HashiCorp Vault Signed SSH Get Help awx , ee , hashi-vault	2	64	October 18, 2024
AWX credentials vs credentials type Get Help awx , hashi-vault	4	430	December 18, 2023
Guidance on awx-cli authentication with azure sso Get Help awx , collections , azure	1	323	November 22, 2023
Awx web login failed Get Help awx , playbook , awx-operator , gcp	0	27	October 17, 2024

AWX, Workload Identity Federation & GCP

Related topics