docs(google-cloud): add Workload Identity Federation authentication#1637
docs(google-cloud): add Workload Identity Federation authentication#1637MichaelTansiniSeqera wants to merge 5 commits into
Conversation
Add Authentication methods section to the Google Cloud CE page covering both service account keys (brief) and a full standalone WIF setup. WIF section includes API enablement, the 5-step GCP Console setup, optional Data Explorer serviceAccountTokenCreator step, and credential fields needed in Seqera Platform. Adds security caution on broad IAM roles. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
✅ Deploy Preview for seqera-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
LGTM! You've covered all the Cloud-CE extras we identified, and the exact error phrase for
|
- Scope security caution to shared GCP projects so dedicated-project users don't over-read the risk - Link 'Data Explorer' in the serviceAccountTokenCreator step to the Data Explorer docs page Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
|
@MichaelTansiniSeqera, is this good to merge or are we waiting for a release? |
Summary
platform-cloud/docs/compute-envs/google-cloud.md) covering both service account keys and Workload Identity Federationroles/resourcemanager.projectIamAdminandroles/iam.serviceAccountAdminChanges
New: Security caution in Service account permissions
Calls out that
projectIamAdminandserviceAccountAdminare broad on shared projects, with an advanced hardening tip for scopingserviceAccountAdmintotowerforge-*via IAM conditions.New: Authentication methods section
Service account keys — brief JSON key creation steps.
Workload Identity Federation — full standalone setup including:
cloudresourcemanager,iam,iamcredentials,logging,sts) plus a note on base APIsworkloadIdentityUserbinding with both wildcard and per-workspace forms) plus optional step 6 for Data Explorer (serviceAccountTokenCreatorviagcloud)Sources
Verification
All items from the Confluence source checked against the draft:
workloadIdentityUser,serviceAccountTokenCreator) documented🤖 Generated with Claude Code