Set Up GCP Components on Client side
Grant Yahoo permission to read/write log files directly to a Google Cloud Storage (GCS) bucket securely without storing static credentials using Workload Identity Federation.
Step 1: Create Workload Identity Pool and Provider
In the Google Cloud Console, go to IAM & Admin > Workload Identity Federation.
Select + Create Pool.
Enter the Pool Details:
Name: <NAME>
Location: global
Create a Provider by entering the following details.
Type: AWS
Provider ID: aws-provider
AWS Account ID: <Yahoo AWS Account ID>
Step 2: Create a Service Account
Create a service account. For example,aws-accessor-sa@PROJECT_ID.iam.gserviceaccount.com.
Step 3: Allow Yahoo AWS Role to Impersonate the Service Account
Add the following principal in Service Account permissions. This principal is an example of what the format looks like.
principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL-NAME>/attribute.aws_role/<IAMRoleARN>
Assign the role: Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
Add the IAM condition (recommended).
attribute.aws_role == <IAMRoleARN>
Add the Yahoo AWS Account Details.
"arn:aws:iam::120569632695:role/dcs.tgt-anltcs-prd.cleanroom-api-service" "arn:aws:iam::394273476801:role/aolp.ds-prd.cleanroom-api-service"
Step 4: Grant Storage Permissions to the Service Account
Go to Cloud Storage > to select a specific Bucket to share, then select > Permissions > to add aws-accessor-sa@PROJECT_ID.iam.gserviceaccount.com.
Assign Storage Object Admin or another suitable role.
Step 5: Send Details to Yahoo
Once configuration is complete, please provide the following details to your Yahoo representative so the Yahoo team can validate if they are able access/write to the GCS bucket.
GCS Bucket Name
GCS Bucket Path
GCP Project ID
GCP Workload Identity Audience
GCP Service Account Email