GCP
MechCloud uses Workload Identity Federation (WIF) to authenticate with GCP, eliminating the need for service account keys. This is more secure as there are no long-lived credentials to manage or rotate.
Step 1: Create a GCP Project (if needed)
Log on to GCP Console.
If you don't already have a project, create one from the project selector at the top of the page.
Note down the Project ID (not the project name) — you'll need it later.
Step 2: Enable Required APIs
Enable the following APIs in your GCP project. Navigate to APIs & Services -> Library and enable each one:
IAM Service Account Credentials API
Required for Workload Identity Federation
Security Token Service API
Required for token exchange in WIF
Compute Engine API
For VM, disk, and network resource management
Cloud Resource Manager API
For project-level operations
Kubernetes Engine API
For GKE cluster management (if using GKE)
Cloud Logging API
For Cost Explorer audit log queries
Cloud Billing API
For pricing information (Cost Explorer)
Step 3: Create a Service Account
In the GCP Console, navigate to IAM & Admin -> Service Accounts.
Click Create Service Account.
Enter a name (e.g.,
mechcloud-wif) and description.Click Create and Continue.
Assign the following roles based on your needs:
Compute Viewer (roles/compute.viewer)
Read-only access to Compute Engine resources
Kubernetes Engine Viewer (roles/container.viewer)
Read-only access to GKE clusters (if using GKE)
Logs Viewer (roles/logging.viewer)
Read audit logs for Cost Explorer
Compute Admin (roles/compute.admin)
For Stateless IaC to create/update/delete resources
Kubernetes Engine Admin (roles/container.admin)
For Stateless IaC to manage GKE clusters (if using GKE)
Choose read-only roles if you only need asset discovery and Cost Explorer. Add admin roles if you plan to use Stateless IaC.
Click Continue and then Done.
Note down the Service Account Email (e.g.,
[email protected]).
Step 4: Create a Workload Identity Pool
Navigate to IAM & Admin -> Workload Identity Federation.
Click Create Pool.
Enter the following details:
Name
mechcloud-pool (or any descriptive name)
Pool ID
mechcloud-pool (auto-generated from name)
Description
MechCloud OIDC federation pool
Click Continue.
Step 5: Add an OIDC Provider to the Pool
On the Add a provider to pool page, select OpenID Connect (OIDC).
Fill in the following details:
Provider name
mechcloud-idp (or any descriptive name)
Provider ID
mechcloud-idp (auto-generated from name)
Issuer (URL)
https://id.mechcloud.io/
Audiences
Select Allowed audiences and enter your MechCloud audience value (see below)
Finding Your Audience Value
Log in to MechCloud Portal.
Open a new browser tab and navigate to:
https://portal.mechcloud.io/oauth2/auth1This displays your JWT token. Decode it using jwt.io or similar tool.
Find the aud (Audience) claim — use this value for the Allowed audiences field (e.g.,
n6dMQIo8ZCE5QxLY4o2KjeBaSn8eefTX).Click Continue.
Step 6: Configure Provider Attributes
On the Configure provider attributes page, map the following attributes:
google.subject
assertion.sub
This maps the MechCloud user's subject claim to the Google identity.
Click Save to create the pool and provider.
Step 7: Grant Service Account Access to the Pool
Navigate to IAM & Admin -> Workload Identity Federation.
Click on the pool you created (
mechcloud-pool).Click Grant Access at the top.
Select the service account you created in Step 3 (e.g.,
[email protected]).Under Select principals, choose Only identities matching the filter.
Set the attribute condition to restrict access to your specific MechCloud user:
Attribute name
google.subject
Attribute value
Your MechCloud sub claim (e.g., auth0|690895c8b0ac201506c31175)
Finding Your Subject Claim
Use the same JWT token from Step 5. Find the sub (Subject) claim — this is your unique MechCloud user identifier.
(IMPORTANT) This condition ensures that only your specific MechCloud user can impersonate the service account. Without this condition, any authenticated MechCloud user who knows your project details could access your GCP resources.
Click Save.
A panel will appear showing the Workload Identity Pool Provider resource name. It will look like:
Note down this full provider resource name — you'll need it when adding the account in MechCloud.
Tip: You can also find this value later by navigating to IAM & Admin -> Workload Identity Federation -> click on your pool -> click on your provider -> copy the Default audience or Resource name value.
Step 8: Register Your GCP Account in MechCloud
Log on to MechCloud and navigate to Infrastructure -> Cloud Accounts.
Select a team.
Select GCP under Select a cloud provider dropdown.
Click on New Cloud Account button.
Enter a name for your account.
Fill in the credentials:
Project Id
Your GCP project ID
my-project-123456
Workload Identity Pool Provider
Full provider resource name from Step 7
projects/123456789/locations/global/workloadIdentityPools/mechcloud-pool/providers/mechcloud-idp
Click Save to add the cloud account.
Verifying the Setup
After adding the account, you can verify the integration by:
Navigate to Infrastructure -> Discover Assets.
Select your GCP account and a region.
Click Discover — if the setup is correct, you should see your GCP resources listed.
Troubleshooting
Permission denied errors
Verify the service account has the required roles assigned in Step 3
Token exchange failed
Check that the Issuer URL is exactly https://id.mechcloud.io/ (with trailing slash)
Audience mismatch
Verify the audience value matches your JWT token's aud claim
Subject mismatch
Verify the attribute condition matches your JWT token's sub claim
API not enabled
Ensure all required APIs from Step 2 are enabled in your project
Last updated