Hi all,
I’m working on automating Terraform deployments to GCP from multiple GitLab projects within the same GitLab group, and I’m using Workload Identity Federation (WIF) to securely authenticate from GitLab to Google Cloud — avoiding the use of long-lived service account keys.
Here’s the setup:
-
Multiple GitLab projects under the same GitLab group -
A single Workload Identity Pool Provider configured in GCP (OIDC)
-
A single GCP service account with the necessary IAM roles
-
Terraform used in each GitLab CI pipeline to deploy GCP resources
My questions:
-
Is it safe and best practice to use one GCP service account (with WIF) across multiple GitLab projects in the same group?
-
Since all projects share the same WIF provider, do I need to create separate trust bindings for each GitLab project, or can I write a wildcard subject claim (like
projects/*/repos/*:ref_type:branch:ref:main)? -
What’s the recommended way to scope access to GCP resources per project while still using the same WIF service account?
-
Should I consider creating separate service accounts per project for finer-grained IAM control, or is a shared one okay for this use case?
If anyone has implemented this in a production setup, I’d love to hear your thoughts or see examples of how you structure your GitLab CI and Terraform provider configuration.
Thanks!