If your architecture is using multiple services, you likely require credentials to enable communication between services. Cloud Build provides built-in support for the OpenID Connect (OIDC) standard for secure authentication and authorization between services.
You can use Cloud Build to generate ID tokens. With these tokens, you can call secure endpoints from within Cloud Build.
For example, if you are running a serverless platform application like Cloud Run functions, Cloud Run, or App Engine, you can securely interact with your application from within Cloud Build workloads.
Before you begin
-
Enable the Cloud Build and IAM APIs.
If you plan to use this account to create short-lived credentials, then you also need to enable the IAM Service Account Credentials API.
To use the command-line examples in this guide, install and configure the Google Cloud CLI.
Make sure you've created the service account you want to use. You must create the account in the same Google Cloud project where you're running builds.
Required IAM permissions
Your user-specified service account must have the
iam.serviceAccounts.getOpenIdToken permission.
- Grant the Service Account OpenID Connect Identity Token Creator (
roles/iam.serviceAccountOpenIdTokenCreator) role to your user-specified service account in the project where you created the service account.
For instructions on granting IAM roles to a service account, see Manage access to service accounts.
Methods for obtaining an ID token
There are two ways to configure your build steps to obtain ID tokens:
- use the gcloud CLI
- send a direct request to the metadata server
Get an ID token via gcloud
In this section, the following code snippet demonstrates how to use the gcloud CLI to obtain ID tokens:
YAML
steps:
- name: 'gcr.io/cloud-builders/gcloud'
script: 'gcloud auth print-identity-token --audiences ${_TOKEN_AUDIENCE} > /workspace/identity_token.txt'
env:
- _TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}
service_account: '$_SERVICE_ACCOUNT'
substitutions:
_TOKEN_AUDIENCE: 'TOKEN_AUDIENCE'
_SERVICE_ACCOUNT_ID: 'SERVICE_ACCOUNT_ID'
_SERVICE_ACCOUNT: 'projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}'
logsBucket: 'LOGS_BUCKET_LOCATION'
options:
logging: GCS_ONLY
dynamic_substitutions: true
JSON
{
"steps": [
{
"name": "gcr.io/cloud-builders/gcloud",
"script": "gcloud auth print-identity-token --audiences ${_TOKEN_AUDIENCE} > /workspace/identity_token.txt"
"env": [
"_TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}"
]
}
],
"service_account": "$_SERVICE_ACCOUNT",
"substitutions": {
"_TOKEN_AUDIENCE": "TOKEN_AUDIENCE",
"_SERVICE_ACCOUNT_ID": "SERVICE_ACCOUNT_ID",
"_SERVICE_ACCOUNT": "projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}"
},
"logsBucket": "LOGS_BUCKET_LOCATION",
"options": {
"logging": "GCS_ONLY",
"dynamic_substitutions": true
}
}
Replace the following:
TOKEN_AUDIENCEis the URL or target audience to obtain the ID token for, such ashttp://www.example.com.SERVICE_ACCOUNT_IDis the email address or unique ID for the user-specified service account. For example,service-account-name@project-id.iam.gserviceaccount.com.LOGS_BUCKET_LOCATIONis the Cloud Storage bucket to store build logs. For example,gs://mylogsbucket.
Send a direct request to the metadata server
In this section, the following code snippet demonstrates how to make a direct request to the metadata server to obtain ID tokens:
YAML
steps:
- name: 'gcr.io/cloud-builders/curl'
id: 'printTokenFromCurl'
script: |
curl -H 'Metadata-Flavor: Google' http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=${_TOKEN_AUDIENCE} -o /workspace/identity_token.txt
env:
- _TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}
service_account: '$_SERVICE_ACCOUNT'
substitutions:
_TOKEN_AUDIENCE: 'TOKEN_AUDIENCE'
_SERVICE_ACCOUNT_ID: 'SERVICE_ACCOUNT_ID'
_SERVICE_ACCOUNT: 'projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}'
logsBucket: 'LOGS_BUCKET_LOCATION'
options:
logging: GCS_ONLY
dynamic_substitutions: true
JSON
{
"steps": [
{
"name": "gcr.io/cloud-builders/curl",
"id": "printTokenFromCurl"
"script": "curl -H 'Metadata-Flavor: Google' http://metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=${_TOKEN_AUDIENCE} -o /workspace/identity_token.txt"
"env":
"_TOKEN_AUDIENCE=${_TOKEN_AUDIENCE}"
}
],
"service_account": "$_SERVICE_ACCOUNT",
"substitutions": {
"_TOKEN_AUDIENCE": "TOKEN_AUDIENCE",
"_SERVICE_ACCOUNT_ID": "SERVICE_ACCOUNT_ID",
"_SERVICE_ACCOUNT": "projects/${PROJECT_ID}/serviceAccounts/${_SERVICE_ACCOUNT_ID}"
},
"logsBucket": "LOGS_BUCKET_LOCATION",
"options": {
"logging": "GCS_ONLY",
"dynamic_substitutions": true
}
}
Replace the following:
TOKEN_AUDIENCEis the URL or target audience to obtain the ID token for, such ashttp://www.example.com.SERVICE_ACCOUNT_IDis the email address or unique ID for the user-specified service account. For example,service-account-name@project-id.iam.gserviceaccount.com.LOGS_BUCKET_LOCATIONis the Cloud Storage bucket to store build logs. For example,gs://mylogsbucket.
For additional instructions on generating and using ID tokens in your workloads, see Methods for getting an ID token.