1#!/usr/bin/env bash
2
3# Copyright 2022 The Sigstore Authors
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# Idempotent script.
18#
19# Commands based off of Google blog post
20# https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
21#
22# One addition is the attribute.repository=assertion.repository mapping.
23# This allows it to be pinned to given repo.
24
25set -o errexit
26set -o nounset
27set -o pipefail
28set -o verbose
29set -o xtrace
30
31PROJECT_ID="projectsigstore"
32PROJECT_NUMBER="498091336538"
33POOL_NAME="githubactions"
34PROVIDER_NAME="sigstore-cosign"
35LOCATION="global"
36REPO="sigstore/cosign"
37SERVICE_ACCOUNT_ID="github-actions-cosign"
38SERVICE_ACCOUNT="${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com"
39
40# Create workload identity pool if not present.
41if ! (gcloud iam workload-identity-pools describe "${POOL_NAME}" --location=${LOCATION}); then
42 gcloud iam workload-identity-pools create "${POOL_NAME}" \
43 --project="${PROJECT_ID}" \
44 --location="${LOCATION}" \
45 --display-name="Github Actions Pool"
46fi
47
48# Create workload identity provider if not present.
49if ! (gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" --location="${LOCATION}" --workload-identity-pool="${POOL_NAME}"); then
50 gcloud iam workload-identity-pools providers create-oidc "${PROVIDER_NAME}" \
51 --project="${PROJECT_ID}" \
52 --location="${LOCATION}" \
53 --workload-identity-pool="${POOL_NAME}" \
54 --display-name="Github Actions Provider Cosign" \
55 --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
56 --issuer-uri="https://token.actions.githubusercontent.com"
57fi
58
59# Create service account if not present.
60if ! (gcloud iam service-accounts describe "${SERVICE_ACCOUNT}"); then
61gcloud iam service-accounts create ${SERVICE_ACCOUNT_ID} \
62 --description="Service account for Github Actions Cosign" \
63 --display-name="Github Actions Cosign"
64fi
65
66# Adding binding is idempotent.
67gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}" \
68 --project="${PROJECT_ID}" \
69 --role="roles/iam.workloadIdentityUser" \
70 --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/${LOCATION}/workloadIdentityPools/${POOL_NAME}/attribute.repository/${REPO}"
71
72# Adding binding is idempotent.
73# Used for kicking off cloud build.
74gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
75 --project="${PROJECT_ID}" \
76 --role="roles/cloudbuild.builds.editor" \
77 --member="serviceAccount:${SERVICE_ACCOUNT}"
78
79# Adding binding is idempotent.
80# Permission needed to run `gcloud builds`
81# https://cloud.google.com/build/docs/securing-builds/configure-access-to-resources#granting_permissions_to_run_gcloud_commands
82gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
83 --project="${PROJECT_ID}" \
84 --role="roles/serviceusage.serviceUsageConsumer" \
85 --member="serviceAccount:${SERVICE_ACCOUNT}"
View as plain text