info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Configure OpenID Connect with GCP Workload Identity Federation
WARNING:
The `CI_JOB_JWT_V2` variable is under development [(alpha)](../../../policy/alpha-beta-support.md#alpha-features) and is not yet suitable for production use.
This tutorial demonstrates authenticating to Google Cloud from a GitLab CI/CD job
using a JSON Web Token (JWT) token and Workload Identity Federation. This configuration
generates on-demand, short-lived credentials without needing to store any secrets.
To get started, configure OpenID Connect (OIDC) for identity federation between GitLab
and Google Cloud. For more information on using OIDC with GitLab, read
[Connect to cloud services](../index.md).
This tutorial assumes you have a Google Cloud account and a Google Cloud project.
Your account must have at least the **Workload Identity Pool Admin** permission
on the Google Cloud project.
To complete this tutorial:
1. [Create the Google Cloud Workload Identity Pool](#create-the-google-cloud-workload-identity-pool).
1. [Create a Workload Identity Provider](#create-a-workload-identity-provider).
1. [Grant permissions for service account impersonation](#grant-permissions-for-service-account-impersonation).
1. [Retrieve a temporary credential](#retrieve-a-temporary-credential).
## Create the Google Cloud Workload Identity Pool
[Create a new Google Cloud Workload Identity Pool](https://cloud.google.com/iam/docs/configuring-workload-identity-federation#oidc) with the following options:
- **Name**: Human-friendly name for the Workload Identity Pool, such as `GitLab`.
- **Pool ID**: Unique ID in the Google Cloud project for the Workload Identity Pool,
such as `gitlab`. This value is used to refer to the pool. and appears in URLs.
- **Description**: Optional. A description of the pool.
- **Enabled Pool**: Ensure this option is `true`.
We recommend creating a single _pool_ per GitLab installation per Google Cloud project. If you have multiple GitLab repositories and CI/CD jobs on the same GitLab instance, they can authenticate using different _providers_ against the same _pool_.
## Create a Workload Identity Provider
[Create a new Google Cloud Workload Identity Provider](https://cloud.google.com/iam/docs/configuring-workload-identity-federation#create_the_workload_identity_pool_and_provider)
inside the Workload Identity Pool created in the previous step, using the following options:
- **Provider type**: OpenID Connect (OIDC).
- **Provider name**: Human-friendly name for the Workload Identity Provider,
such as `gitlab/gitlab`.
- **Provider ID**: Unique ID in the pool for the Workload Identity Provider,
such as `gitlab-gitlab`. This value is used to refer to the provider, and appears in URLs.
- **Audiences**: Manually set the allowed audiences list to the address of your
GitLab instance, such as `https://gitlab.com` or `https://gitlab.example.com`.
- The address must use the `https://` protocol.
- The address must not end in a trailing slash.
- **Provider attributes mapping**: Create the following mappings, where `attribute.X` is the
name of the attribute you would like to be present on Google's claims, and `assertion.X`
is the value to extract from the [GitLab claim](../index.md#how-it-works):
| Attribute (on Google) | Assertion (from GitLab) |
| --- | --- |
| `google.subject` | `assertion.sub` |
| `attribute.X` | `assertion.X` |
You can also [build complex attributes](https://cloud.google.com/iam/help/workload-identity/attribute-mapping)
using Common Expression Language (CEL).
You must map every attribute that you want to use for permission granting. For example, if you want to map permissions in the next step based on the user's email address, you must map `attribute.user_email` to `assertion.user_email`.
## Grant permissions for Service Account impersonation
Creating the Workload Identity Pool and Workload Identity Provider defines the _authentication_
into Google Cloud. At this point, you can authenticate from GitLab CI/CD job into Google Cloud.
However, you have no permissions on Google Cloud (_authorization_).
To grant your GitLab CI/CD job permissions on Google Cloud, you must:
1. [Create a Google Cloud Service Account](https://www.google.com/search?q=google+cloud+create+service+account).
You can use whatever name and ID you prefer.
1. [Grant IAM permissions](https://cloud.google.com/iam/docs/granting-changing-revoking-access) to your
service account on Google Cloud resources. These permissions vary significantly based on
your use case. In general, grant this service account the permissions on your Google Cloud
project and resources you want your GitLab CI/CD job to be able to use. For example, if you needed to upload a file to a Google Cloud Storage bucket in your GitLab CI/CD job, you would grant this Service Account the `roles/storage.objectCreator` role on your Cloud Storage bucket.
1. [Grant the external identity permissions](https://cloud.google.com/iam/docs/using-workload-identity-federation#impersonate)
to impersonate that Service Account. This step enables a GitLab CI/CD job to _authorize_
to Google Cloud, via Service Account impersonation. This step grants an IAM permission
_on the Service Account itself_, giving the external identity permissions to act as that
service account. External identities are expressed using the `principalSet://` protocol.
Much like the previous step, this step depends heavily on your desired configuration.
For example, to allow a GitLab CI/CD job to impersonate a Service Account named
`my-service-account` if the GitLab CI/CD job was initiated by a GitLab user with the
username `chris`, you would grant the `roles/iam.workloadIdentityUser` IAM role to the
external identity on `my-service-account`. The external identity takes the format: