Status

Table of Contents

GitLab CI Service Account Configuration

This document describes the dedicated service account for GitLab CI/CD operations.

Service Account Details

  • Service Account: gitlab-ci@development-454916.iam.gserviceaccount.com
  • Purpose: Used exclusively for GitLab CI/CD pipelines to authenticate with Google Cloud services
  • Authentication Method: Workload Identity Federation (WIF)

IAM Roles

The gitlab-ci service account has the following IAM roles:

  • roles/artifactregistry.writer - Push container images to Artifact Registry
  • roles/artifactregistry.reader - Pull container images from Artifact Registry
  • roles/storage.objectViewer - Read objects from GCS buckets
  • roles/logging.logWriter - Write logs to Cloud Logging
  • roles/monitoring.metricWriter - Write metrics to Cloud Monitoring
  • roles/container.clusterViewer - View GKE clusters and their resources
  • roles/container.developer - Deploy to GKE clusters (create/update/patch K8s resources)

Terraform Configuration

The service account is created in main.tf:

module "gitlab_ci_workload_identity" {
  source = "./modules/workload-identity"

  project_id         = var.project_id
  service_account_id = "gitlab-ci"
  display_name       = "GitLab CI/CD"
  description        = "Service account for GitLab CI/CD pipelines"

  # No Kubernetes configuration needed - this is only for GitLab WIF
  namespace                  = ""
  kubernetes_service_account = ""

  # IAM roles for CI/CD operations
  roles = [
    "roles/artifactregistry.writer",
    "roles/artifactregistry.reader",
    "roles/storage.objectViewer",
    "roles/logging.logWriter",
    "roles/monitoring.metricWriter",
    "roles/container.clusterViewer",
    "roles/container.developer",
  ]

  # GitLab Workload Identity Federation
  enable_gitlab_wif    = true
  gitlab_project_paths = var.gitlab_project_paths
}

GitLab CI Configuration

The .gitlab-ci.yml file is configured to use this service account:

variables:
  GCP_WORKLOAD_IDENTITY_PROVIDER: "projects/303122725076/locations/global/workloadIdentityPools/gitlab-ci-gitlab-wif/providers/gitlab"
  GCP_SERVICE_ACCOUNT_EMAIL: "gitlab-ci@development-454916.iam.gserviceaccount.com"

Security Notes

  • The CI service account has minimal permissions required for CI/CD operations
  • It's separate from the main application service account (blueberry) which has broader permissions
  • No service account keys are used - authentication is via Workload Identity Federation
  • The service account can only be impersonated by authorized GitLab projects
Document ID: setup/05-cicd/ci-service-account