bqutil resources are inaccessible via Workload Identity Federation #518
Description
Description
Problem
Currently, users cannot access bqutil resources when using Workload Identity Federation:
- Cannot execute bqutil functions
- Cannot access
gs://bqutil-libfor local builds
This forces users to create unnecessary service accounts for CI execution in GitHub Actions.
google-github-actions/auth recommends Direct Workload Identity Federation as the preferred authentication method. I would like to use Direct Workload Identity Federation to avoid the complexity of managing intermediate service accounts for resource permissions.
Root Cause
As documented in Google Cloud IAM principals overview:
This principal type doesn't include federated identities, which are managed by external identity providers (IdPs). If you use Workforce Identity Federation or Workload Identity Federation, don't use allAuthenticatedUsers. Instead, use one of the following:
- To include users from all IdPs, use allUsers.
- To include users from specific external IdPs, use the identifier for all identities in a workforce identity pool or all identities in a workload identity pool.
The current IAM configurations in release/terraform/main.tf use allAuthenticatedUsers, which excludes Workload Identity Federation principals.
Proposed Solution
Change IAM member configurations from allAuthenticatedUsers to allUsers.
As stated in the Google Cloud documentation quoted above, allUsers is the recommended approach for supporting Workload Identity Federation. Additionally, there is minimal security difference between the two for public resources, as allAuthenticatedUsers includes any Google account (not just organization members).