You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: platform-enterprise_docs/compute-envs/google-cloud-batch.md
+20-6Lines changed: 20 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,18 +102,32 @@ You can manage your key from the **Service Accounts** page.
102
102
103
103
Workload Identity Federation (WIF) is the recommended authentication method for production and regulated environments because it eliminates the need for long-lived service account keys. WIF uses short-lived OIDC tokens for authentication, which are generated by Seqera Platform.
104
104
105
-
:::note
106
-
If you have not generated and set an RSA keypair as part of your Enterprise deployment, any authentication will fail with the message `WIF credentials require the OIDC provider to be configured (tower.oidc.pem.path)`.
107
-
:::
105
+
To authenticate using Workload Identity Federation, you must first configure a [Workload Identity Pool and Provider](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers) in your Google Cloud project.
106
+
107
+
WIF requires an OIDC signng key and for Seqera Platform's OIDC provider to be configured. See [Cryptographic options](https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#cryptographic-options).
108
+
109
+
**Generate the OIDC signing key**
110
+
111
+
Generate a PEM keypair and configure Platform to use it:
108
112
109
-
To authenticate using Workload Identity Federation, you must first configure a [Workload Identity Pool and Provider](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers) in your Google Cloud project. After setting up WIF in Google Cloud, you need the following information to create a credential in Seqera:
Set `TOWER_OIDC_PEM_PATH` to the path of the `oidc.pem` file in your Platform deployment. For example:
120
+
121
+
`TOWER_OIDC_PEM_PATH=/path/to/oidc.pem`.
122
+
123
+
If you have not generated and set an RSA keypair as part of your Enterprise deployment, any authentication will fail with the message `WIF credentials require the OIDC provider to be configured (tower.oidc.pem.path)`.
124
+
125
+
After setting up WIF in Google Cloud, you need the following information to create a credential in Seqera:
110
126
111
127
***Service Account Email**: The email address of the Google Cloud service account that WIF will impersonate.
112
128
***Workload Identity Provider**: The full resource path of the Workload Identity Provider (e.g., `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID`).
113
129
***Token Audience** (optional): The intended audience for the OIDC token. Configure this if your Workload Identity Provider requires a specific audience value.
114
130
115
-
In the context of Seqera Platform, WIF is supported as a credential for GCP Batch, Google Cloud, and GKE.
116
-
117
131
:::caution
118
132
If WIF authentication fails, verify that the Workload Identity Provider path is correctly formatted, the service account has the required permissions, and the Kubernetes service account is properly annotated for your deployment environment. Check the Seqera Platform logs for specific error details — a `400` error typically indicates an invalid provider format, while a `401` error indicates a token exchange failure.
0 commit comments