1#!/bin/bash
2# Copyright 2021 Google LLC
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8#      http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16# This file is a mostly common setup file to ensure all workload identity
17# federation integration tests are set up in a consistent fashion across the
18# languages in our various client libraries. It assumes that the current user
19# has the relevant permissions to run each of the commands listed.
20
21# This script needs to be run once. It will do the following:
22# 1. Create a random workload identity pool.
23# 2. Create a random OIDC provider in that pool which uses the
24#    accounts.google.com as the issuer and the default STS audience as the
25#    allowed audience. This audience will be validated on STS token exchange.
26# 3. Enable OIDC tokens generated by the current service account to impersonate
27#    the service account. (Identified by the OIDC token sub field which is the
28#    service account client ID).
29# 4. Create a random AWS provider in that pool which uses the provided AWS
30#    account ID.
31# 5. Enable AWS provider to impersonate the service account. (Principal is
32#    identified by the AWS role name).
33# 6. Print out the STS audience fields associated with the created providers
34#    after the setup completes successfully so that they can be used in the
35#    tests. These will be copied and used as the global _AUDIENCE_OIDC and
36#    _AUDIENCE_AWS constants in system_tests/system_tests_sync/test_external_accounts.py.
37#
38# It is safe to run the setup script again. A new pool is created and new
39# audiences are printed. If run multiple times, it is advisable to delete
40# unused pools. Note that deleted pools are soft deleted and may remain for
41# a while before they are completely deleted. The old pool ID cannot be used
42# in the meantime.
43#
44# For AWS tests, an AWS developer account is needed.
45# The following AWS prerequisite setup is needed.
46# 1. An OIDC Google identity provider needs to be created with the following:
47#    issuer: accounts.google.com
48#    audience: Use the client_id of the service account.
49# 2. A role for OIDC web identity federation is needed with the created Google
50#    provider as a trusted entity:
51#    "accounts.google.com:aud": "$CLIENT_ID"
52# The steps are documented at:
53# https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
54
55suffix=""
56
57function generate_random_string () {
58  local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789
59  for i in {1..8} ; do
60    suffix+="${valid_chars:RANDOM%${#valid_chars}:1}"
61    done
62}
63
64generate_random_string
65
66pool_id="pool-"$suffix
67oidc_provider_id="oidc-"$suffix
68aws_provider_id="aws-"$suffix
69
70# TODO: Fill in.
71project_id="stellar-day-254222"
72project_number="79992041559"
73aws_account_id="077071391996"
74aws_role_name="ci-python-test"
75service_account_email="[email protected]"
76sub="104692443208068386138"
77
78oidc_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$oidc_provider_id"
79aws_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$aws_provider_id"
80
81gcloud config set project $project_id
82
83# Create the Workload Identity Pool.
84gcloud beta iam workload-identity-pools create $pool_id \
85    --location="global" \
86    --description="Test pool" \
87    --display-name="Test pool for Python"
88
89# Create the OIDC Provider.
90gcloud beta iam workload-identity-pools providers create-oidc $oidc_provider_id \
91    --workload-identity-pool=$pool_id \
92    --issuer-uri="https://accounts.google.com" \
93    --location="global" \
94    --attribute-mapping="google.subject=assertion.sub"
95
96# Create the AWS Provider.
97gcloud beta iam workload-identity-pools providers create-aws $aws_provider_id \
98    --workload-identity-pool=$pool_id \
99    --account-id=$aws_account_id \
100    --location="global"
101
102# Give permission to impersonate the service account.
103gcloud iam service-accounts add-iam-policy-binding $service_account_email \
104--role roles/iam.workloadIdentityUser \
105--member "principal://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/subject/$sub"
106
107gcloud iam service-accounts add-iam-policy-binding $service_account_email \
108  --role roles/iam.workloadIdentityUser \
109  --member "principalSet://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/attribute.aws_role/arn:aws:sts::$aws_account_id:assumed-role/$aws_role_name"
110
111echo "OIDC audience: "$oidc_aud
112echo "AWS audience: "$aws_aud
113echo "AWS role: arn:aws:iam::$aws_account_id:role/$aws_role_name"
114