gcp2aws

AWS credential helper for GCP.

Call AWS API using GCP credentials.

Requirements

• GCP
  • Authenticate with gcloud auth application-default login
  • Service Accounts that allow you to impersonate(roles/iam.serviceAccountTokenCreator)
• AWS
  • IAM Roles that allow service accounts to sts:AssumeRoleWithWebIdentity

Installation

Using go install

go install github.com/porkbeans/gcp2aws@latest

Using GitHub Releases

For locally (e.g. ~/.local/bin)

curl -sSL '<TAR_GZ_URL>' | tar -xz -C ~/.local/bin gcp2aws

For globally (e.g. /usr/local/bin)

curl -sSL '<TAR_GZ_URL>' | sudo tar -xz --no-same-owner -C /usr/local/bin gcp2aws

Usage

SYNOPSIS
    gcp2aws -i <SERVICE ACCOUNT EMAIL> -r <ROLE ARN> [-d <DURATION>]

OPTIONS
    -i <SERVICE ACCOUNT EMAIL>
        Service account email to impersonate.
    -r <ROLE ARN>
        Role ARN to AssumeRoleWithWebIdentity.
    -d <DURATION>
        Credential duration. Accept format for Go time.ParseDuration.
        See https://pkg.go.dev/time#ParseDuration

Examples

See Terraform Example to set up GCP Service Account and AWS IAM Role.

AssumeRole with impersonated GCP service account identity.

~/.aws/config

[profile example]
credential_process = /path/to/gcp2aws -r <ROLE ARN> -i <SERVICE ACCOUNT EMAIL>
region = <YOUR REGION>

Development

Required tools

• go for compiling and testing
• GNU make for task runner
• direnv for loading environment variables for tests
• gibo for updating .gitignore boilerplate

Preparing

• cp example.env secret.env and edit each values in secret.env for your test environment.
• direnv allow
• make test to confirm that you can run tests

Similar projects

• https://github.com/doitintl/janus