Listing 1: Provider per CLI erzeugen

gcloud iam workforce-pools providers create-oidc it-admin-power-bi-provider \
--workforce-pool=it-admin-pool \
--location=global \
--display-name=PowerBiProvider \
--issuer-uri=https://sts.windows.net/babcf8c6-dfac-4377-b0cd-c8c67d0184bb \
--client-id=https://analysis.windows.net/powerbi/connector/GoogleBigQuery \
--attribute-mapping=google.subject=assertion.sub \
--web-sso-response-type=id-token \
--web-sso-assertion-claims-behavior=only-id-token-claims \
--extra-attributes-issuer-uri=https://login.microsoftonline.com/babcf8c6-dfac-4377-b0cdc8c67d0184bb/v2.0 \
--extra-attributes-client-id=bcf964ba-9fe6-41a9-9d5b-13d903204790 \
--extra-attributes-client-secret-value=-ABCF \
--extra-attributes-type=azure-ad-groups-mail


Listing 2: Temporäres Token erzeugen

PAYLOAD="$(cat <EOF
{
"audience": "//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/
workloadIdentityPools/POOL_ID/providers/PROVIDER_ID",
"grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
"requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
"scope": "https://www.googleapis.com/auth/cloud-platform",
"subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
"subjectToken": "${GITLAB_OIDC_TOKEN}"
}
EOF
)"
FEDERATED_TOKEN="$(curl --fail "https://sts.googleapis.com/v1/token" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data "${PAYLOAD}" \
| jq -r '.access_token'
)"


Listing 3: Token umwandeln

ACCESS_TOKEN="$(curl --fail "https://iamcredentials.googleapis.com/v1/projects/-/
serviceAccounts/SERVICE_ACCOUNT_EMAIL:
generateAccessToken" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer
FEDERATED_TOKEN" \
--data '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
| jq -r '.accessToken'
)


Listing 4: gcloud-auth-Befehl ausführen

gcp-auth:
image: google/cloud-sdk:slim
extends: .id_tokens
script:
- echo ${GITLAB_OIDC_TOKEN} >
.ci_job_jwt_file
- gcloud iam workload-identity-pools
create-cred-config ${GCP_WORKLOAD_
IDENTITY_PROVIDER}
--service-account="${GCP_SERVICE_
ACCOUNT}"
--output-file=.gcp_temp_cred.json
--credential-sourcefile=.ci_job_jwt_file
- gcloud auth login --cred-file=`pwd`
/.gcp_temp_cred.json
- gcloud auth list