Google Cloud Platform
Copy and execute the below bash code on the Google Cloud shell terminal. The below script creates a service account with the name sprinto-serviceaccount and grants the Security Reviewer role, helping Sprinto to have the required read-only access to the API resources.
WORKLOAD_IDENTITY_POOL="sprinto-wif-pool"WORKLOAD_IDENTITY_PROVIDER="sprinto-wif-pool-provider"SERVICE_ACCOUNT_NAME="sprinto-serviceaccount"ISSUER_URI="<https://dev-38645452.okta.com/oauth2/default>"ALLOWED_AUDIENCES=0oal5uhgk92pO42cY5d7ATTRIBUTE_MAPPING="google.subject=assertion.sub, attribute.username=assertion.preferred_username"OKTA_USER_SUB="00ul37olt68rdNOfX5d7"PROJECT_IDS=("gcp-project12312" "gcp-project2212")ROLE1="roles/compute.viewer" ROLE2="roles/iam.securityReviewer"currentproject=gcp-project12312CURR_PROJECT_NUMBER=1212122# Creating Workload Identity Poolgcloud iam workload-identity-pools create "$WORKLOAD_IDENTITY_POOL" \\ --location="global" \\ --display-name="Sprinto GCP Identity Pool"# Creating Workload Identity Provider Poolgcloud iam workload-identity-pools providers create-oidc "$WORKLOAD_IDENTITY_PROVIDER" \\ --workload-identity-pool="$WORKLOAD_IDENTITY_POOL" \\ --location="global" \\ --display-name="Sprinto GCP Provider" \\ --issuer-uri="$ISSUER_URI" \\ --allowed-audiences="$ALLOWED_AUDIENCES" \\ --attribute-mapping="$ATTRIBUTE_MAPPING"# Creating Service Accountgcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME" \\ --display-name="Sprinto GCP Service Account"\\ --description="Sprinto uses this to monitor production GCP resources."# Looping through each project and assign roles to the service accountfor i in "${!PROJECT_IDS[@]}"; do PROJECT_ID="${PROJECT_IDS[$i]}" echo "Processing Project: $PROJECT_ID" # Assigning roles to service account gcloud projects add-iam-policy-binding "$PROJECT_ID" \\ --member="serviceAccount:${SERVICE_ACCOUNT_NAME}@$currentproject.iam.gserviceaccount.com" \\ --role="$ROLE1" gcloud projects add-iam-policy-binding "$PROJECT_ID" \\ --member="serviceAccount:${SERVICE_ACCOUNT_NAME}@$currentproject.iam.gserviceaccount.com" \\ --role="$ROLE2" # Adding Policy Binding for Workload Identity Federation gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT_NAME}@$currentproject.iam.gserviceaccount.com" \\ --role="roles/iam.workloadIdentityUser" \\ --member="principal://iam.googleapis.com/projects/${CURR_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${WORKLOAD_IDENTITY_POOL}/subject/${OKTA_USER_SUB}" # Enabling services gcloud services enable cloudresourcemanager.googleapis.com compute.googleapis.com pubsub.googleapis.com logging.googleapis.com iam.googleapis.com serviceusage.googleapis.com spanner.googleapis.com bigquery.googleapis.com bigtable.googleapis.com firebase.googleapis.com datastore.googleapis.com file.googleapis.com sqladmin.googleapis.com storage-component.googleapis.com containerregistry.googleapis.com cloudapis.googleapis.com container.googleapis.com servicemanagement.googleapis.com stackdriver.googleapis.com done