# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
```
```
### Google Cloud variant
This variant allows to use Python Google Clients. The variant follow the recommendation [Authenticate for using client libraries](https://cloud.google.com/docs/authentication/client-libraries) with [ADC](https://cloud.google.com/docs/authentication/application-default-credentials)
[Detailed article on internal OIDC impersonated with Workload Identify Federation](https://blog.salrashid.dev/articles/2021/understanding_workload_identity_federation/#oidc-impersonated)
List of requirements before using this variant for use Python Google Clients:
1. You must have a Workload Identity Federation Pool,
2. You must have a Service Account with enough permissions to run your python job.
3. Optional, you can define `GOOGLE_CLOUD_PROJECT` in template variable to define the default Google project
#### Configuration
The variant requires the additional configuration parameters:
| Input / Variable | Description | Default value |
"description":"The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
"default":"$CI_SERVER_URL",
"advanced":true
},
{
"name":"GCP_OIDC_ACCOUNT",
"description":"Default Service Account to which impersonate with OpenID Connect authentication"
},
{
"name":"GCP_OIDC_PROVIDER",
"description":"Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
description:The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)))_
default:$CI_SERVER_URL
gcp-oidc-account:
description:Default Service Account to which impersonate with OpenID Connect authentication
default:''
gcp-oidc-provider:
description:Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
default:''
---
variables:
GCP_OIDC_AUD:$[[ inputs.gcp-oidc-aud ]]
GCP_OIDC_ACCOUNT:$[[ inputs.gcp-oidc-account ]]
GCP_OIDC_PROVIDER:$[[ inputs.gcp-oidc-provider ]]
.gcp-provider-auth:
before_script:
-echo "Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file"