xref: /aosp_15_r20/external/google-auth-library-java/scripts/workloadidentityfederation-setup.sh (revision af546375c95127f07cb26dd492629ccb2e8b1be1) 
1#!/bin/bash
2
3# Copyright 2021 Google LLC
4#
5# Redistribution and use in source and binary forms, with or without
6# modification, are permitted provided that the following conditions are
7# met:
8#
9#    * Redistributions of source code must retain the above copyright
10# notice, this list of conditions and the following disclaimer.
11#    * Redistributions in binary form must reproduce the above
12# copyright notice, this list of conditions and the following disclaimer
13# in the documentation and/or other materials provided with the
14# distribution.
15#    * Neither the name of Google LLC nor the names of its
16# contributors may be used to endorse or promote products derived from
17# this software without specific prior written permission.
18#
19# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
22# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
23# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
24# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
25# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30
31# This script is used to generate the project configurations needed to
32# end-to-end test workload identity pools in the Auth library, specifically
33# OIDC-based credentials and AWS credentials. This script only needs to be ran once.
34#
35# In order to run this script, the GOOGLE_APPLICATION_CREDENTIALS environment
36# variable needs to be set to point to a service account key file.
37# Additional fields must be provided in this file.
38# Detailed instructions are documented below.
39#
40# GCP project changes:
41# --------------------
42# The following IAM roles need to be set on the service account:
43# 1. IAM Workload Identity Pool Admin (needed to create resources for workload
44#    identity pools).
45# 2. Security Admin (needed to get and set IAM policies).
46# 3. Service Account Token Creator (needed to generate Google ID tokens and
47#    access tokens).
48#
49# The following APIs need to be enabled on the project:
50# 1. Identity and Access Management (IAM) API.
51# 2. IAM Service Account Credentials API.
52# 3. Cloud Resource Manager API.
53# 4. The API being accessed in the test, eg. DNS.
54#
55# AWS developer account changes:
56# ------------------------------
57# For testing AWS credentials, the following are needed:
58# 1. An AWS developer account is needed. The account ID will need to
59#    be provided in the configuration object below.
60# 2. A role for web identity federation. This will also need to be provided
61#    in the configuration object below.
62#    - An OIDC Google identity provider needs to be created with the following:
63#      issuer: accounts.google.com
64#      audience: Use the client_id of the service account.
65#    - A role for OIDC web identity federation is needed with the created
66#      Google provider as a trusted entity:
67#      "accounts.google.com:aud": "$CLIENT_ID"
68#    The role creation steps are documented at:
69#    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
70#
71# This script needs to be run once. It will do the following:
72# 1. Create a random workload identity pool.
73# 2. Create a random OIDC provider in that pool which uses the
74# 3. Enable OIDC tokens generated by the current service account to impersonate
75#    the service account. (Identified by the OIDC token sub field which is the
76#    service account client ID).
77# 4. Create a random AWS provider in that pool which uses the provided AWS
78#    account ID.
79# 5. Enable AWS provider to impersonate the service account. (Principal is
80#    identified by the AWS role name).
81# 6. Print out the STS audience fields associated with the created providers
82#    and AWS role name/arn after the setup completes successfully so that
83#    they can be used in the tests.
84#
85# The same service account used for this setup script should be used for
86# the test script.
87#
88# It is safe to run the setup script again. A new pool is created and new
89# audiences are printed. If run multiple times, it is advisable to delete
90# unused pools. Note that deleted pools are soft deleted and may remain for
91# a while before they are completely deleted. The old pool ID cannot be used
92# in the meantime.
93
94suffix=""
95
96function generate_random_string () {
97  local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789
98  for i in {1..8} ; do
99    suffix+="${valid_chars:RANDOM%${#valid_chars}:1}"
100    done
101}
102
103generate_random_string
104
105pool_id="pool-"${suffix}
106oidc_provider_id="oidc-"${suffix}
107aws_provider_id="aws-"${suffix}
108
109# Fill in.
110project_id=""
111project_number=""
112aws_account_id=""
113aws_role_name=""
114service_account_email=""
115sub=""; # client_id from service account key file
116
117oidc_aud="//iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/providers/${oidc_provider_id}"
118aws_aud="//iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/providers/${aws_provider_id}"
119
120gcloud config set project ${project_id}
121
122# Create the Workload Identity Pool.
123gcloud beta iam workload-identity-pools create ${pool_id} \
124    --location="global" \
125    --description="Test pool" \
126    --display-name="Test pool for Java"
127
128# Create the OIDC Provider.
129gcloud beta iam workload-identity-pools providers create-oidc ${oidc_provider_id} \
130    --workload-identity-pool=${pool_id} \
131    --issuer-uri="https://accounts.google.com" \
132    --location="global" \
133    --attribute-mapping="google.subject=assertion.sub"
134
135# Create the AWS Provider.
136gcloud beta iam workload-identity-pools providers create-aws ${aws_provider_id} \
137    --workload-identity-pool=${pool_id} \
138    --account-id=${aws_account_id} \
139    --location="global"
140
141# Give permission to impersonate the service account.
142gcloud iam service-accounts add-iam-policy-binding ${service_account_email} \
143--role roles/iam.workloadIdentityUser \
144--member "principal://iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/subject/${sub}"
145
146gcloud iam service-accounts add-iam-policy-binding ${service_account_email} \
147  --role roles/iam.workloadIdentityUser \
148  --member "principalSet://iam.googleapis.com/projects/${project_number}/locations/global/workloadIdentityPools/${pool_id}/attribute.aws_role/arn:aws:sts::${aws_account_id}:assumed-role/${aws_role_name}"
149
150echo "OIDC audience:"${oidc_aud}
151echo "AWS audience:"${aws_aud}
152echo "AWS role name:"${aws_role_name}
153echo "AWS role ARN: arn:aws:iam::${aws_account_id}:role/${aws_role_name}"
154