diff --git a/platform-cloud/docs/compute-envs/google-cloud-batch.md b/platform-cloud/docs/compute-envs/google-cloud-batch.md index 55bb9f856..a36cf5780 100644 --- a/platform-cloud/docs/compute-envs/google-cloud-batch.md +++ b/platform-cloud/docs/compute-envs/google-cloud-batch.md @@ -75,14 +75,20 @@ Ask your Google Cloud administrator to grant you the following IAM user permissi - Service Account User (`roles/iam.serviceAccountUser`) on the job's service account (default: Compute Engine service account) - View Service Accounts (`roles/iam.serviceAccountViewer`) on the project -To configure a credential in Seqera, you must first create a [service account JSON key file][get-json]: +#### Authentication methods + +Seqera supports two methods for authenticating with Google Cloud: + +**Service account keys** + +To authenticate using a service account key, create a [service account JSON key file](https://cloud.google.com/iam/docs/keys-list-get#get-key): 1. In the Google Cloud navigation menu, select **IAM & Admin > Service Accounts**. 2. Select the email address of the service account. - :::note - The Compute Engine default service account is not recommended for production environments due to its powerful permissions. To use a service account other than the Compute Engine default, specify the service account email address under **Advanced options** on the Seqera compute environment creation form. - ::: + :::note + The Compute Engine default service account is not recommended for production environments due to its powerful permissions. To use a service account other than the Compute Engine default, specify the service account email address under **Advanced options** on the Seqera compute environment creation form. + ::: 3. Select **Keys > Add key > Create new key**. 4. Select **JSON** as the key type. @@ -92,6 +98,34 @@ A JSON file is downloaded to your computer. This file contains the credential ne You can manage your key from the **Service Accounts** page. +**Workload Identity Federation** + +Workload Identity Federation (WIF) is the recommended authentication method for production and regulated environments because it eliminates the need for long-lived service account keys. WIF uses short-lived OIDC tokens for authentication, which are generated by Seqera Platform. + +This requires the following steps in the GCP Console: + +1. Create a [Workload Identity Pool and Provider](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers) in your Google Cloud project. +2. Set Seqera as an OIDC provider within the pool. Set the Issuer URL to `https://cloud.seqera.io/api`. +3. Set the **Allowed audiences**. If left empty, GCP derives a default audience from the provider resource path in the format `//iam.googleapis.com/projects/{PROJECT}/locations/global/workloadIden + tityPools/{POOL}/providers/{PROVIDER}`. If you specify a custom value, it must match exactly what you enter in the Token audience field when creating the Google WIF credential in Seqera. +4. Define an attribute mapping and condition. At a minimum set `google.subject=assertion.sub`. This maps the subject claim from Seqera's JWT to GCP's identity space. For more information see [here](https://docs.cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#mappings-and-conditions) +5. Grant `roles/iam.workloadIdentityUser` on the service account that WIF will impersonate to the Workload Identity Pool principal. This can be set for all pool identities or for a specific workspace. If you have not yet created a service account do so following the guidelines above. + +After setting up WIF in the GCP Console, you need the following information to create a credential in Seqera Platform: + +1. **Service Account Email**: The email address of the Google Cloud service account that WIF will impersonate. +2. **Workload Identity Provider**: The full resource path of the Workload Identity Provider (e.g., `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID`). +3. **Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value. Ensure this matches what you have configured in the **Allowed Audiences** value in the GCP console. + +:::caution +If WIF authentication fails at runtime, verify that: + +- The service account has the required roles (see [Service account permissions](#service-account-permissions)) +- The Workload Identity Pool principal has `roles/iam.workloadIdentityUser` on the service account +- The Issuer URL configured in the WIF provider matches Platform's URL +- The Token Audience in the credential (if set) matches the Allowed Audiences in the WIF provider +::: + ### Cloud Storage bucket Google Cloud Storage is a type of **object storage**. To access files and store the results for your pipelines, create a **Cloud bucket** that your Seqera service account can access.