feat: GCP get-well [COMP-793]

[justinegeffen]

Fixes EDU-1057
Fixes https://seqera.atlassian.net/browse/COMP-793

[netlify]

✅ Deploy Preview for seqera-docs ready!

Name	Link
🔨 Latest commit	118e550
🔍 Latest deploy log	https://app.netlify.com/projects/seqera-docs/deploys/69e0c254d12e5a00089abbc9
😎 Deploy Preview	https://deploy-preview-1316--seqera-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[MichaelTansiniSeqera]

The main thing that is missing here is the addition env var required to configure Platform when WIF is required. The user needs to

1. Generate and mount a PEM keypair

openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
cat private.pem public.pem > oidc.pem

Then set:
TOWER_OIDC_PEM_PATH=/path/to/oidc.pem

2. Configure GCP to trust Platform as an OIDC issuer

In your GCP WIF pool, set the issuer URL to:
https://{your-platform-domain}/api

@jonmarti can we add this to the example set up yml?                                       

[christopher-hakkaart]

I think the links should be updated/checked. I've made some suggestions to remove the em dashes. Otherwise looking good.

[christopher-hakkaart]

Editorially, this looks good 👍

I can't speak to the accuracy of the content changed.

[jonmarti]

The main thing that is missing here is the addition env var required to configure Platform when WIF is required. The user needs to

1. Generate and mount a PEM keypair

openssl genrsa -out private.pem 4096 openssl rsa -in private.pem -outform PEM -pubout -out public.pem cat private.pem public.pem > oidc.pem

Then set: TOWER_OIDC_PEM_PATH=/path/to/oidc.pem

2. Configure GCP to trust Platform as an OIDC issuer

In your GCP WIF pool, set the issuer URL to: https://{your-platform-domain}/api

@jonmarti can we add this to the example set up yml?                                       

A few things worth clarifying before we finalize:

1. TOWER_OIDC_PEM_PATH is not a new variable. It was introduced for Data Studios OIDC (Dec 2023) and reused for GCP WIF, so the same RSA key gates both features. Enterprise deployments that already have Data Studios OIDC configured are reusing the same key and don't need to generate a new one. Worth calling that out in the docs.

2. The issuer URL is ${TOWER_SERVER_URL}/api for all deployments, not just Cloud. In the GCP WIF provider, set the issuer to https://{your-platform-domain}/api regardless of whether it's Cloud or Enterprise. The discovery endpoints are at /api/.well-known/openid-configuration and /api/.well-known/jwks.json, and both must be publicly reachable from GCP STS.

@MichaelTansiniSeqera, yes, we can add TOWER_OIDC_PEM_PATH to the YAML with a note that it serves both Data Studios OIDC and GCP WIF.

[jonmarti]

@MichaelTansiniSeqera the comment is anchored to the Token Audience bullet but your proposed text is about user roles. I think the comment may have landed on the wrong line during review. Did you mean to comment on the User permissions list above (roles/batch.jobsEditor, roles/iam.serviceAccountUser, roles/iam.serviceAccountViewer)?

If that's the case, +1 on framing it as "minimum set of roles required", making that intent explicit in the doc would help admins justify the list to their security teams.

The Token Audience description as written is accurate. It's an optional field that's only needed when the WIF provider was created with a custom allowed audience; by default, Platform derives the audience from the provider path, so most setups can leave it blank. We could optionally tighten the wording to make the "leave blank unless..." default explicit, but no factual change needed.

[MichaelTansiniSeqera]

I've updated this with a section to show on Enterprise what a user needs to do in the GCP Console to set up WIF for integration with Seqera.