iac_modules/docs/gcp-oidc-setup.md

Configure OIDC login for GCP

This document outlines the steps to configure OpenID Connect (OIDC) login for Google Cloud Platform (GCP) using Auth0 by Okta.

Prerequisites:

• Auth0 by Okta set up as an OIDC provider.
• GCP IAM access.

Steps:

1. Create a Workload Identity Pool:

   • Open the Google Cloud Console.
   • Navigate to IAM & Admin > Workload Identity Federation.
   • Create a new Workload Identity Pool.

2. Configure OIDC Identity Provider:

   • Choose OIDC as the identity provider type.
   • Enter the Auth0 Issuer URL: https://your-tenant-name.us.auth0.com/.

3. Configure Service Account Binding:

   • Choose a service account that will be authenticated through OIDC.
   • Bind the service account to the Workload Identity Pool.
   • Grant necessary IAM roles (e.g., roles/storage.admin for GCS access).

4. Trust Policy Configuration:

   • Configure the trust policy to allow Auth0 users to authenticate:

     {
       "issuer": "https://your-tenant-name.us.auth0.com/",
       "subject": "user_id",
       "audiences": [
         "your-client-id"
       ]
     }
     

5. Test Authentication:

   • Use OIDC tokens generated by Auth0 to authenticate and access GCP services.