openshift-docs/modules/ccs-gcp-customer-procedure-wif.adoc

// Module included in the following assemblies:
//
// * osd_planning/gcp-ccs.adoc
:_mod-docs-content-type: PROCEDURE
[id="ccs-gcp-customer-procedure-wif_{context}"]

= Workload Identity Federation authentication type procedure
// TODO: Same as other module - Better procedure heading that tells you what this is doing

[role="_abstract"]
Besides the required customer procedures listed in _Required customer procedure_, there are other specific actions that you must take when creating an {product-title} cluster on {GCP} using Workload Identity Federation (WIF) as the authentication type.

.Procedure

. Assign the following roles to the link:https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource[service account] of the user implementing the WIF authentication type:
+
[IMPORTANT]
====
The following roles are only required when creating, updating, or deleting WIF configurations.
====
+
.Required roles
[cols="5a,3a,5a",options="header"]
|===

|Role and description|Console role name|Permissions

|Role Admin

Required by the {gcp-short} client in the OCM CLI for creating custom role.

|`roles/iam.roleAdmin`

|iam.roles.create

iam.roles.delete

iam.roles.get

iam.roles.list

iam.roles.undelete

iam.roles.update

resourcemanager.projects.get
resourcemanager.projects.getIamPolicy

|Service Account Admin

Required for the pre-creation of the service accounts used by the deployer, support, and Operators.
|`roles/iam.serviceAccountAdmin`

a| iam.serviceAccountApiKeyBindings.create
iam.serviceAccountApiKeyBindings.delete
iam.serviceAccountApiKeyBindings.undelete
iam.serviceAccounts.create
iam.serviceAccounts.create
iam.serviceAccounts.create
iam.serviceAccounts.createTagBinding
iam.serviceAccounts.delete
iam.serviceAccounts.deleteTagBinding
iam.serviceAccounts.disable
iam.serviceAccounts.enable
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.listEffectiveTags
iam.serviceAccounts.listTagBindings
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.undelete
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.list

|Workload Identity Pool Admin

Required to create and configure the workload identity pool.
|`roles/iam.workloadIdentityPoolAdmin`

a| iam.googleapis.com/workloadIdentityPoolProviderKeys.create
iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
iam.googleapis.com/workloadIdentityPoolProviderKeys.get
iam.googleapis.com/workloadIdentityPoolProviderKeys.list
iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
iam.googleapis.com/workloadIdentityPoolProviders.create
iam.googleapis.com/workloadIdentityPoolProviders.delete
iam.googleapis.com/workloadIdentityPoolProviders.get
iam.googleapis.com/workloadIdentityPoolProviders.list
iam.googleapis.com/workloadIdentityPoolProviders.undelete
iam.googleapis.com/workloadIdentityPoolProviders.up
iam.googleapis.com/workloadIdentityPools.delete
iam.googleapis.com/workloadIdentityPools.get
iam.googleapis.com/workloadIdentityPools.list
iam.googleapis.com/workloadIdentityPools.undelete
iam.googleapis.com/workloadIdentityPools.update
iam.workloadIdentityPools.createPolicyBinding
iam.workloadIdentityPools.deletePolicyBinding
iam.workloadIdentityPools.searchPolicyBindings
iam.workloadIdentityPools.updatePolicyBinding
resourcemanager.projects.get
resourcemanager.projects.list

|Project IAM Admin

Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources.
|`roles/resourcemanager.projectIamAdmin`

a|iam.policybindings.get
iam.policybindings.list
resourcemanager.projects.createPolicyBinding
resourcemanager.projects.deletePolicyBinding
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.searchPolicyBindings
resourcemanager.projects.setIamPolicy
resourcemanager.projects.updatePolicyBinding

|===

. Install the link:https://console.redhat.com/openshift/downloads[OpenShift Cluster Manager API command-line interface (`ocm`)].
+

[IMPORTANT]
====
The {cluster-manager} API command-line interface (`ocm`) is a Developer Preview feature only.
For more information about the support scope of Red Hat Developer Preview features, see link:https://access.redhat.com/support/offerings/devpreview/[Developer Preview Support Scope].
====
+
// To use the OCM CLI, you must authenticate against your Red Hat {cluster-manager} account. This is accomplished with the {cluster-manager} API token.
// +
// You can obtain your token link:https://console.redhat.com/openshift/token/show[here].

. To authenticate against your Red Hat {cluster-manager} account, run one of the following commands.

.. If your system supports a web-based browser, run the Red{nbsp}Hat single sign-on (SSO) authorization code command for secure authentication:
+
[source,terminal]
----
$ ocm login --use-auth-code
----
+
Running this command will redirect you to the Red Hat SSO login. Log in with your Red{nbsp}Hat login or email.
+
.. If you are working with containers, remote hosts, and other environments without a web browser, run the Red{nbsp}Hat single sign-on (SSO) device code command for secure authentication:

+
.Syntax
[source,terminal]
----
$ ocm login --use-device-code
----
Running this command will redirect you to the Red{nbsp}Hat SSO login and provide a log in code.

+

To switch accounts, logout from https://sso.redhat.com and run the `ocm logout` command in your terminal before attempting to login again.

+

. Install the link:https://cloud.google.com/sdk/docs/install[gcloud CLI].
+
.  Authenticate the gcloud CLI with the link:https://cloud.google.com/docs/authentication/provide-credentials-adc[Application Default Credentials (ADC)].