:_mod-docs-content-type: ASSEMBLY [id="cco-mode-gcp-workload-identity"] = Using manual mode with GCP Workload Identity include::_attributes/common-attributes.adoc[] :context: cco-mode-gcp-workload-identity toc::[] Manual mode with GCP Workload Identity is supported for Google Cloud Platform (GCP). [NOTE] ==== This credentials strategy is supported for only new {product-title} clusters and must be configured during installation. You cannot reconfigure an existing cluster that uses a different credentials strategy to use this feature. ==== [id="gcp-workload-identity-mode-about_{context}"] == About manual mode with GCP Workload Identity In manual mode with GCP Workload Identity, the individual {product-title} cluster components can impersonate IAM service accounts using short-term, limited-privilege credentials. Requests for new and refreshed credentials are automated by using an appropriately configured OpenID Connect (OIDC) identity provider, combined with IAM service accounts. {product-title} signs service account tokens that are trusted by GCP, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour by default. .Workload Identity authentication flow image::347_OpenShift_credentials_with_STS_updates_0623_GCP.png[Detailed authentication flow between GCP and the cluster when using GCP Workload Identity] Using manual mode with GCP Workload Identity changes the content of the GCP credentials that are provided to individual {product-title} components. .GCP secret format [source,yaml] ---- apiVersion: v1 kind: Secret metadata: namespace: <1> name: <2> data: service_account.json: <3> ---- <1> The namespace for the component. <2> The name of the component secret. <3> The Base64 encoded service account. .Content of the Base64 encoded `service_account.json` file using long-lived credentials [source,json] ---- { "type": "service_account", <1> "project_id": "", "private_key_id": "", "private_key": "", <2> "client_email": "", "client_id": "", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/" } ---- <1> The credential type is `service_account`. <2> The private RSA key that is used to authenticate to GCP. This key must be kept secure and is not rotated. .Content of the Base64 encoded `service_account.json` file using GCP Workload Identity [source,json] ---- { "type": "external_account", <1> "audience": "//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/test-pool/providers/test-provider", <2> "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", "token_url": "https://sts.googleapis.com/v1/token", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/:generateAccessToken", <3> "credential_source": { "file": "", <4> "format": { "type": "text" } } } ---- <1> The credential type is `external_account`. <2> The target audience is the GCP Workload Identity provider. <3> The resource URL of the service account that can be impersonated with these credentials. <4> The path to the service account token inside the pod. By convention, this is `/var/run/secrets/openshift/serviceaccount/token` for {product-title} components. //Supertask: Installing an OCP cluster configured for manual mode with GCP Workload Identity [id="gcp-workload-identity-mode-installing"] == Installing an {product-title} cluster configured for manual mode with GCP Workload Identity To install a cluster that is configured to use the Cloud Credential Operator (CCO) in manual mode with GCP Workload Identity: . xref:../../authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc#cco-ccoctl-configuring_cco-mode-gcp-workload-identity[Configure the Cloud Credential Operator utility]. . xref:../../authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc#cco-ccoctl-creating-at-once_cco-mode-gcp-workload-identity[Create the required GCP resources]. . xref:../../authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc#sts-mode-installing-manual-run-installer_cco-mode-gcp-workload-identity[Run the {product-title} installer]. . xref:../../authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc#sts-mode-installing-verifying_cco-mode-gcp-workload-identity[Verify that the cluster is using short-lived credentials]. [NOTE] ==== Because the cluster is operating in manual mode when using GCP Workload Identity, it is not able to create new credentials for components with the permissions that they require. When upgrading to a different minor version of {product-title}, there are often new GCP permission requirements. Before upgrading a cluster that is using GCP Workload Identity, the cluster administrator must manually ensure that the GCP permissions are sufficient for existing components and available to any new components. ==== [role="_additional-resources"] .Additional resources * xref:../../updating/preparing_for_updates/preparing-manual-creds-update.adoc#cco-ccoctl-configuring_preparing-manual-creds-update[Configuring the Cloud Credential Operator utility for a cluster update] //Task part 1: Configuring the Cloud Credential Operator utility include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] //Task part 2: Creating the required GCP resources all at once include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+2] //Task part 3: Run the OCP installer include::modules/sts-mode-installing-manual-run-installer.adoc[leveloffset=+2] //Task part 4: Verify that the cluster is using short-lived credentials include::modules/sts-mode-installing-verifying.adoc[leveloffset=+2] [role="_additional-resources"] [id="additional-resources_{context}"] == Additional resources * xref:../../updating/preparing_for_updates/preparing-manual-creds-update.adoc#preparing-manual-creds-update[Preparing to update a cluster with manually maintained credentials]