feat(wif): enhance workload identity setup script (#91)

This commit enhances the `setup_workload_identity.sh` script to improve
usability and flexibility when configuring Direct Workload Identity
Federation between Google Cloud and GitHub.

Key improvements include:

- **Custom Provider Names:** Users can now specify a custom name for the
Workload Identity Provider using the `--provider-name` flag. This
provides more control over resource naming. If not provided, a unique
name is automatically generated based on the repository hash.

- **Mandatory Project ID:** Make it clear that `--project` flag is
required to prevent accidental misconfiguration and ensure the script
targets the correct Google Cloud project. The script no longer attempts
to auto-detect the project ID.

- **Improved Help and Examples:** The help text and usage examples have
been updated to reflect the new `--provider-name` flag and the mandatory
`--project` requirement.

These changes make the script more robust and user-friendly for setting
up secure authentication from GitHub Actions to Google Cloud.

Author: jerop

docs/authentication.md

@@ -92,12 +92,12 @@ Your user account needs these permissions in the target GCP project to run the s
 Basic setup for your repository:
 
 ```shell
-./scripts/setup_workload_identity.sh --repo OWNER/REPO --project <PROJECT_ID>
+./scripts/setup_workload_identity.sh --repo OWNER/REPO --project GOOGLE_CLOUD_PROJECT
 ```
 
-`<OWNER/REPO>`: Your GitHub repository in the format `owner/repo`. Here, `OWNER` means your GitHub organization (for organization-owned repos) or username (for user-owned repos).
-
-`<PROJECT_ID>`: Your Google Cloud `project_id`.
+**Required Parameters:**
+- `OWNER/REPO`: Your GitHub repository in the format `owner/repo`. Here, `OWNER` means your GitHub organization (for organization-owned repos) or username (for user-owned repos).
+- `GOOGLE_CLOUD_PROJECT`: Your Google Cloud project ID.
 
 For example:
 
@@ -109,30 +109,33 @@ For example:
 
 Command Line Options:
 
-| Option                             | Description                                    | Example                    |
-| ---------------------------------- | ---------------------------------------------- | -------------------------- |
-| `--repo OWNER/REPO`                | **Required**: GitHub repository                | `--repo google/my-repo`    |
-| `--project GOOGLE_CLOUD_PROJECT`   | GCP project ID (auto-detected if not provided) | `--project my-gcp-project` |
-| `--location GOOGLE_CLOUD_LOCATION` | GCP project Location (defaults to 'global')    | `--location us-east1`      |
-| `--pool-name NAME`                 | Custom pool name (default: `github`)           | `--pool-name my-pool`      |
-| `--help`                           | Show help message                              |                            |
+| Option                             | Description                                    | Required | Example                       |
+| ---------------------------------- | ---------------------------------------------- | -------- | ----------------------------- |
+| `--repo OWNER/REPO`                | GitHub repository                              | Yes      | `--repo google/my-repo`       |
+| `--project GOOGLE_CLOUD_PROJECT`   | Google Cloud project ID                        | Yes      | `--project my-gcp-project`    |
+| `--location GOOGLE_CLOUD_LOCATION` | GCP project location (defaults to `global`)    | No       | `--location us-east1`         |
+| `--pool-name NAME`                 | Custom pool name (default: auto-generated)     | No       | `--pool-name my-pool`         |
+| `--provider-name NAME`             | Custom provider name (default: auto-generated) | No       | `--provider-name my-provider` |
+| `--help`                           | Show help message                              | No       |                               |
 
 **What the Script Does**
 
-1.  **Creates Workload Identity Pool**: A shared resource (named `github` by default).
-2.  **Creates Workload Identity Provider**: Unique per repository, linked to the pool.
-3.  **Grants Permissions**: Assigns IAM roles for observability and AI services.
-4.  **Outputs Configuration**: Prints the GitHub Actions variables needed for your workflow.
+1.  **Creates Workload Identity Pool**: A shared resource (auto-generated unique name based on repository).
+2.  **Creates Workload Identity Provider**: Unique per repository, linked to the pool (auto-generated unique name based on repository).
+3.  **Creates Service Account**: For authentication with required permissions.
+4.  **Grants Permissions**: Assigns IAM roles for observability and AI services.
+5.  **Outputs Configuration**: Prints the GitHub Actions variables needed for your workflow.
 
 **Automatic Permissions**
 
 The script automatically grants these essential IAM roles:
 
 - **`roles/logging.logWriter`**: To write logs to Cloud Logging.
-- **`roles/monitoring.metricWriter`**: To write metrics to Cloud Monitoring.
+- **`roles/monitoring.editor`**: To write metrics to Cloud Monitoring.
 - **`roles/cloudtrace.agent`**: To send traces to Cloud Trace.
 - **`roles/aiplatform.user`**: To make inference calls to Vertex AI.
 - **`roles/cloudaicompanion.user`**: To make inference calls using Gemini Code Assist.
+- **`roles/iam.serviceAccountTokenCreator`**: To generate access tokens.
 
 #### Connecting to Vertex AI
 

docs/observability.md

@@ -149,7 +149,7 @@ Alternatively, you can omit the `telemetry` settings entirely, as telemetry is d
 **Permission errors:**
 - Verify your service account has these roles:
   - `roles/logging.logWriter`
-  - `roles/monitoring.metricWriter` 
+  - `roles/monitoring.editor` 
   - `roles/cloudtrace.agent`
 
 For additional troubleshooting guidance, see the [Authentication documentation](./authentication.md).

scripts/setup_workload_identity.sh

@@ -54,7 +54,8 @@ print_header() {
 GOOGLE_CLOUD_PROJECT=""
 GOOGLE_CLOUD_LOCATION="global"
 GITHUB_REPO=""
-POOL_NAME="github"
+POOL_NAME=""
+PROVIDER_NAME=""
 
 # Show help
 show_help() {
@@ -66,21 +67,22 @@ USAGE:
 
 REQUIRED:
     -r, --repo OWNER/REPO       GitHub repository (e.g., google/my-repo)
-    -p, --project PROJECT_ID    Google Cloud project ID (auto-detected if not provided)
+    -p, --project GOOGLE_CLOUD_PROJECT    Google Cloud project ID
 
 OPTIONS:
     --pool-name NAME           Custom workload identity pool name (default: auto-generated)
+    --provider-name NAME       Custom workload identity provider name (default: auto-generated)
     -h, --help                 Show this help
 
 EXAMPLES:
     # Basic setup for a repository
-    $0 --repo google/my-repo
-
-    # With specific project
     $0 --repo google/my-repo --project my-gcp-project
 
     # Custom pool name
-    $0 --repo google/my-repo --pool-name my-pool
+    $0 --repo google/my-repo --project my-gcp-project --pool-name my-pool
+
+    # Custom pool and provider names
+    $0 --repo google/my-repo --project my-gcp-project --pool-name my-pool --provider-name my-provider
 
 ABOUT DIRECT WORKLOAD IDENTITY FEDERATION:
     This script sets up Direct Workload Identity Federation (preferred method).
@@ -107,6 +109,10 @@ while [[ $# -gt 0 ]]; do
             POOL_NAME="$2"
             shift 2
             ;;
+        --provider-name)
+            PROVIDER_NAME="$2"
+            shift 2
+            ;;
         -l|--location)
             GOOGLE_CLOUD_LOCATION="$2"
             shift 2
@@ -136,11 +142,11 @@ if [[ -z "${GITHUB_REPO}" ]]; then
     exit 1
 fi
 if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
-    print_error "GCP project is required. Use --project PROJECT_ID"
+    print_error "GCP project is required. Use --project GOOGLE_CLOUD_PROJECT"
     echo ""
-    echo "💡 To find your project name:"
+    echo "💡 To find your project ID:"
     echo "   1. Go to your Google Cloud console"
-    echo "   2. The URL displays: https://pantheon.corp.google.com/welcome?project=PROJECT_ID"
+    echo "   2. The URL displays: https://console.cloud.google.com/welcome?project=GOOGLE_CLOUD_PROJECT"
     echo ""
     echo "Use --help for usage information."
     exit 1
@@ -153,29 +159,23 @@ if [[ ! "${GITHUB_REPO}" =~ ^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$ ]]; then
     exit 1
 fi
 
-# Auto-detect project ID if not provided
-if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
-    print_info "Auto-detecting Google Cloud project..."
-    GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project 2>/dev/null)
-    if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
-        print_error "Could not auto-detect Google Cloud project ID"
-        echo "Please either:"
-        echo "  1. Set default project: gcloud config set project YOUR_PROJECT_ID"
-        echo "  2. Use --project flag: $0 --repo ${GITHUB_REPO} --project YOUR_PROJECT_ID"
-        exit 1
-    fi
-    print_success "Using project: ${GOOGLE_CLOUD_PROJECT}"
-fi
-
 # Extract repository components
 REPO_OWNER=$(echo "${GITHUB_REPO}" | cut -d'/' -f1)
 
 # Generate unique names based on repository
 REPO_HASH_INPUT=$(echo -n "${GITHUB_REPO}")
 REPO_HASH_SHA=$(echo "${REPO_HASH_INPUT}" | shasum -a 256)
 REPO_HASH=$(echo "${REPO_HASH_SHA}" | cut -c1-8)
-POOL_NAME="github-${REPO_HASH}"
-PROVIDER_NAME="gh-${REPO_HASH}"
+
+# Use custom pool name if provided, otherwise generate one
+if [[ -z "${POOL_NAME}" ]]; then
+    POOL_NAME="github-${REPO_HASH}"
+fi
+
+# Use custom provider name if provided, otherwise generate one
+if [[ -z "${PROVIDER_NAME}" ]]; then
+    PROVIDER_NAME="gh-${REPO_HASH}"
+fi
 
 print_header "Starting Direct Workload Identity Federation setup"
 echo "📦 Repository: ${GITHUB_REPO}"
@@ -330,7 +330,7 @@ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
 
 print_info "Granting monitoring permissions..."
 gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
-    --role="roles/monitoring.editor" \
+    --role="roles/monitoring.metricWriter" \
     --member="${PRINCIPAL_SET}" \
     --condition=None