diff --git a/templates/gitlab-ci-python-gcp.yml b/templates/gitlab-ci-python-gcp.yml index 4fdaaf55479622f44402cecda6ed88059dfa85f0..1166426546b0f35991ea4a9ece9bb67c581ad1a6 100644 --- a/templates/gitlab-ci-python-gcp.yml +++ b/templates/gitlab-ci-python-gcp.yml @@ -19,41 +19,38 @@ variables: GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]] GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]] -.gcp-provider-auth: - before_script: - - set -e - - echo -e "[\\e[1;94mINFO\\e[0m] Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file" - - echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt" - - |- - cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json" - { - "type": "external_account", - "audience": "//iam.googleapis.com/${GCP_OIDC_PROVIDER}", - "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", - "token_url": "https://sts.googleapis.com/v1/token", - "credential_source": { - "file": "$CI_BUILDS_DIR/.auth_token.jwt" - }, - "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_OIDC_ACCOUNT}:generateAccessToken" - } - EOF - - export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json" - +.python-gcp-adc: + - set -e + - echo -e "[\\e[1;94mINFO\\e[0m] Installing GCP authentication with env GOOGLE_APPLICATION_CREDENTIALS file" + - echo $GCP_JWT > "$CI_BUILDS_DIR/.auth_token.jwt" + - |- + cat << EOF > "$CI_BUILDS_DIR/google_application_credentials.json" + { + "type": "external_account", + "audience": "//iam.googleapis.com/${GCP_OIDC_PROVIDER}", + "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", + "token_url": "https://sts.googleapis.com/v1/token", + "credential_source": { + "file": "$CI_BUILDS_DIR/.auth_token.jwt" + }, + "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GCP_OIDC_ACCOUNT}:generateAccessToken" + } + EOF + - export GOOGLE_APPLICATION_CREDENTIALS="$CI_BUILDS_DIR/google_application_credentials.json" .python-base: image: $PYTHON_IMAGE services: - name: "$TBC_TRACKING_IMAGE" command: ["--service", "python", "7.8.1"] + id_tokens: + GCP_JWT: + aud: "$GCP_OIDC_AUD" variables: GCP_JWT: $GCP_JWT before_script: - - !reference [.gcp-provider-auth, before_script] - !reference [.python-scripts] + - !reference [.python-gcp-adc] - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}" - cd ${PYTHON_PROJECT_DIR} - guess_build_system - - id_tokens: - GCP_JWT: - aud: "$GCP_OIDC_AUD"