have deployed my Node.js service in Cloud Run within Project 1. For this service, I need to invoke the Apigee management API service, which is in Project 2, without using a service account key. Could anyone please provide guidance on how to achieve this?
1 Like
Hello @K_V_Rao ,Welcome on Google Cloud Community.
Did you’ve tried Workload Identity Federation?
“Using Workload Identity Federation, you can provide on-premises or multicloud workloads with access to Google Cloud resources by using federated identities instead of a service account key.” More info here: https://cloud.google.com/iam/docs/workload-identity-federation
What you should to do :
- Enable WIF APIN on Project2
- Create WIF Provider in Project2 ( OIDC provider )
- Create SA in Project2
- Add Policy Binding to SA ( APIGEE management Admin) Project2
- Allow WIF to impersonate SA ( IAM Role WorkloadIdentityUser) Project2
- Allow Cloud Run SA use WIF ( IAM Role WorkloadIdentityUser) Project1
- Use auth library depends on your programming language to obtain credentials.
PS: I wrote this from top of my head, so It might be possibile that some of step should be changed / improved, but in general should work.
cheers,
DamianS
LinkedIn medium.com Cloudskillsboost
Hi @DamianS ,
Do you have any specific documentation on how we can create a Workload Identity Pool for a Cloud Run service running in Google Cloud?
i got stuck while creating the WIF
1 Like
Check this doc: https://cloud.google.com/iam/docs/tutorial-cloud-run-workload-id-federation
For issuer try to use : https://accounts.google.com