sparse-apartment-71989
02/19/2024, 3:43 PMred-match-15116
02/19/2024, 7:00 PMsparse-apartment-71989
02/19/2024, 8:00 PMgcp:
oidc:
identity-pool: $project-id-pool
service-acct: $project-$stack-svc-acct
roles: [owner]
Then, let Pulumi spin up an identity pool and service account with the specified role(s). I know that's easier said than done. :-)red-match-15116
02/19/2024, 11:03 PMred-match-15116
02/19/2024, 11:03 PMsparse-apartment-71989
02/19/2024, 11:12 PMsalmon-account-74572
02/20/2024, 8:13 PMsparse-apartment-71989
02/20/2024, 8:47 PMpulumi env init myOrg/dev --oidc=google
Then, a guided workflow would take over:
Identity pool name (myorg-dev-pool-id):
Service account name:(myorg-dev-svc-account):
Service account roles: (owner):
Include IAC subject (n/Y):
This would then do all the resource provisioning behind the scenes using security api key credentials, or a Google cloud console web login temporary token, or whatever. (I'm not sure about this part.)
If an existing resource name is given then the user can be asked if they want to modify it or replace it.
I'm not trying to solution this in Slack, just trying to set the right level of abstraction for this OIDC setup activity.salmon-account-74572
02/20/2024, 9:21 PMsparse-apartment-71989
02/20/2024, 9:28 PMsalmon-account-74572
02/20/2024, 9:33 PM