Module does not work with WIF creds

[hitk6]

Hello,

We are using WIF (Workload Identity Federation ) to deploy GKE cluster from AWS environment. I have successfully completed the following:

• Create a WIF for an AWS role.
• Initialize terraform gcp provider with WIF credentials.
• Terraform is running and creating various resources in GCP like vpc, subnet, cluster.

The problem I am facing is:

• In my terraform I am using module (https://github.com/terraform-google-modules/terraform-google-gcloud/tree/master/modules/kubectl-wrapper). This is failing with the following error.

module.gke.module.gcloud_delete_default_kube_dns_configmap.module.gcloud_kubectl.null_resource.run_command[0] (local-exec): ERROR: (gcloud.container.clusters.get-credentials) Your current active account [email@mail.com] does not have any valid credentials.

Please guide me how to use WIF creds with this module.

Thank you

[morgante]

I don't have experience with Workload Identity Federation, but do you have an example of how you would be doing it on the command line (using gcloud) directly?

[angstwad]

This could occur if the gcloud is too old to support WIF. Support for WIF was added in googleapis/google-auth-library-python#698, and gcloud would need to pull it in. I believe once gcloud is updated, it should just work. I don't have WIF configured but I did just confirm that my install of gcloud (v 349.0.0) is using google-auth v 1.32.0 which would contain support. Can you update gcloud on the machine where Terraform is running the kubectl-wrapper module? The helper script in there shells out gcloud to obtain creds... if it's up to date, I believe it'll work.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days