Skip to content

docs(google-cloud): add Workload Identity Federation authentication#1637

Draft
MichaelTansiniSeqera wants to merge 3 commits into
masterfrom
google-cloud-wif
Draft

docs(google-cloud): add Workload Identity Federation authentication#1637
MichaelTansiniSeqera wants to merge 3 commits into
masterfrom
google-cloud-wif

Conversation

@MichaelTansiniSeqera

Copy link
Copy Markdown
Contributor

Summary

  • Adds a new Authentication methods section to the Google Cloud CE page (platform-cloud/docs/compute-envs/google-cloud.md) covering both service account keys and Workload Identity Federation
  • WIF section is fully standalone — no need to cross-reference the Google Cloud Batch page
  • Adds a security caution on the broad blast radius of roles/resourcemanager.projectIamAdmin and roles/iam.serviceAccountAdmin

Changes

New: Security caution in Service account permissions

Calls out that projectIamAdmin and serviceAccountAdmin are broad on shared projects, with an advanced hardening tip for scoping serviceAccountAdmin to towerforge-* via IAM conditions.

New: Authentication methods section

Service account keys — brief JSON key creation steps.

Workload Identity Federation — full standalone setup including:

  1. Enable APIs — lists the five WIF-required APIs (cloudresourcemanager, iam, iamcredentials, logging, sts) plus a note on base APIs
  2. Set up WIF in the GCP Console — 5 core steps (pool/provider, OIDC issuer, allowed audiences, attribute mapping, workloadIdentityUser binding with both wildcard and per-workspace forms) plus optional step 6 for Data Explorer (serviceAccountTokenCreator via gcloud)
  3. Configure WIF credentials in Seqera — service account email, provider resource path, optional token audience; runtime troubleshooting caution

Sources

Verification

All items from the Confluence source checked against the draft:

  • ✅ All Cloud CE-specific APIs documented
  • ✅ All Cloud CE-specific IAM roles already present; security caution added
  • ✅ SA-level WIF bindings (workloadIdentityUser, serviceAccountTokenCreator) documented
  • ✅ Data Explorer optional step with exact gcloud command and error string
  • ✅ Three credential fields in Seqera documented
  • ✅ Runtime troubleshooting caution included

🤖 Generated with Claude Code

Add Authentication methods section to the Google Cloud CE page covering
both service account keys (brief) and a full standalone WIF setup. WIF
section includes API enablement, the 5-step GCP Console setup, optional
Data Explorer serviceAccountTokenCreator step, and credential fields
needed in Seqera Platform. Adds security caution on broad IAM roles.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@netlify

netlify Bot commented Jul 7, 2026

Copy link
Copy Markdown

Deploy Preview for seqera-docs ready!

Name Link
🔨 Latest commit 424b038
🔍 Latest deploy log https://app.netlify.com/projects/seqera-docs/deploys/6a4dcdb4bac9fd00084b905f
😎 Deploy Preview https://deploy-preview-1637--seqera-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@jonmarti

jonmarti commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

LGTM!

You've covered all the Cloud-CE extras we identified, and the exact error phrase for signBlob is a nice touch for anyone Googling the failure. Two small things you might want to add, but neither is blocking:

  • The security caution is spot-on for shared GCP projects, but for a dedicated project the risk is basically nil. Maybe soften it with a "on shared projects, …" opener so readers with a dedicated project don't over-worry?

  • Could you link to the Data Explorer docs from the serviceAccountTokenCreator step? Would help anyone unfamiliar with where pre-signed URLs come into play.

MichaelTansiniSeqera and others added 2 commits July 7, 2026 17:11
- Scope security caution to shared GCP projects so dedicated-project
  users don't over-read the risk
- Link 'Data Explorer' in the serviceAccountTokenCreator step to the
  Data Explorer docs page

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants