Workload Identity Pool Providers should support common OIDC configuration options

[rpetti]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Currently the only supported options for OIDC configuration is issuer uri:

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  attribute_mapping                  = {
    "google.subject" = "assertion.sub"
  }
  oidc {
    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
  }
}

This works fine when you are connecting from a publicly accessible endpoint, since WIF will use OIDC discovery to obtain the JWKS keys.

Unfortunately many people will need to authenticate using WIF from internal firewalled systems that are not accessible from the public internet. In these cases, WIF simply doesn't work.

This is why many OIDC implementations support other configuration options so it can function in such situations:

• JWKS URL (precludes the need for OIDC discovery by providing the link to the JWKS public keys)
• JWKS JSON (precludes the need for any network activity at all by providing the JWKS public keys directly to the OIDC client for immediate validation)

New or Affected Resource(s)

• google_iam_workload_identity_pool_provider

Potential Terraform Configuration

resource "google_iam_workload_identity_pool_provider" "example" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "example-prvdr"
  attribute_mapping                  = {
    "google.subject" = "assertion.sub"
  }
  oidc {
    issuer_uri        = "https://sts.windows.net/azure-tenant-id"
    jwks_uri          = "https://public.sts.windows.net/.well-known/jwks.json
    jwks_json         = file("${path.module}/jwks.json")
  }
}

References

We have raised this with Google multiple times but have seen no effort given into providing a solution. We are hoping that the Terraform team can put pressure on Google to implement this feature.

b/299601100

[rileykarson]

This should get bumped up to the service team at some point in the future!

[rpetti]

Is there a contact for them or do we just keep trying to push Google through the usual support channels?

[rpetti]

Raised an issue with them in their public issue tracker:
https://issuetracker.google.com/u/1/issues/268071356