Text file src/google.golang.org/api/integration-tests/byoid/setup.sh

Documentation: google.golang.org/api/integration-tests/byoid

     1#!/bin/bash
     2# Copyright 2021 Google LLC.
     3# Use of this source code is governed by a BSD-style
     4# license that can be found in the LICENSE file.
     5
     6# This file is a mostly common setup file to ensure all BYOID integration tests
     7# are set up in a consistent fashion.
     8# It assumes that the current user has the relevant permissions to run each of
     9# the commands listed.
    10
    11suffix=""
    12
    13function generate_random_string () {
    14  local valid_chars=abcdefghijklmnopqrstuvwxyz0123456789
    15  for i in {1..8} ; do
    16    suffix+="${valid_chars:RANDOM%${#valid_chars}:1}"
    17    done
    18}
    19
    20generate_random_string
    21
    22pool_id="pool-"$suffix
    23oidc_provider_id="oidc-"$suffix
    24aws_provider_id="aws-"$suffix
    25
    26# Fill in.
    27project_id=$GCLOUD_TESTS_GOLANG_PROJECT_ID
    28project_number=$GCLOUD_TESTS_GOLANG_PROJECT_NUMBER
    29aws_account_id=$GCLOUD_TESTS_GOLANG_AWS_ACCOUNT_ID
    30aws_role_name=$GCLOUD_TESTS_GOLANG_AWS_ROLE_NAME
    31service_account_email=$GCLOUD_TESTS_GOLANG_SERVICE_ACCOUNT_EMAIL
    32sub=$GCLOUD_TESTS_GOLANG_SERVICE_ACCOUNT_CLIENT_ID
    33
    34oidc_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$oidc_provider_id"
    35aws_aud="//iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/providers/$aws_provider_id"
    36
    37gcloud config set project $project_id
    38
    39# Create the Workload Identity Pool.
    40gcloud beta iam workload-identity-pools create $pool_id \
    41    --location="global" \
    42    --description="Test pool" \
    43    --display-name="Test pool for Go"
    44
    45# Create the OIDC Provider.
    46gcloud beta iam workload-identity-pools providers create-oidc $oidc_provider_id \
    47    --workload-identity-pool=$pool_id \
    48    --issuer-uri="https://accounts.google.com" \
    49    --location="global" \
    50    --attribute-mapping="google.subject=assertion.sub"
    51
    52# Create the AWS Provider.
    53gcloud beta iam workload-identity-pools providers create-aws $aws_provider_id \
    54    --workload-identity-pool=$pool_id \
    55    --account-id=$aws_account_id \
    56    --location="global"
    57
    58# Give permission to impersonate the service account.
    59gcloud iam service-accounts add-iam-policy-binding $service_account_email \
    60--role roles/iam.workloadIdentityUser \
    61--member "principal://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/subject/$sub"
    62
    63gcloud iam service-accounts add-iam-policy-binding $service_account_email \
    64  --role roles/iam.workloadIdentityUser \
    65  --member "principalSet://iam.googleapis.com/projects/$project_number/locations/global/workloadIdentityPools/$pool_id/attribute.aws_role/arn:aws:sts::$aws_account_id:assumed-role/$aws_role_name"
    66
    67echo "OIDC audience: "$oidc_aud
    68echo "AWS audience: "$aws_aud

View as plain text