DocumentationAPI Reference
Documentation

AWS to GCP Role Assumption

Suggest Edits

Prerequisites

  • You will need the name of the GCP service account that you previously created as part of your destination configuration. The name should look like [email protected].
  • You will need the provided AWS ARN and AWS Account ID of the role that will impersonate your GCP service account.
    • The ARN value should look like: arn:aws:iam::123456789012:role/SomeRoleName.
    • The AWS Account ID is the 12 digit number from the ARN value, e.g., 123456789012.

Step 1: Confirm the permissions of your GCP service account

  1. In the GCP console, navigate to the IAM & Admin menu, click into the IAM tab, and find the GCP service account that you previously created as part of the Prerequisites. Click Edit principal.
  2. In the menu that appears, click + Add Another Role. Search for and add the "Workload Identity User" role to the service account.

Step 2: Create a Workload Identity Pool

  1. In the GCP console, navigate to IAM & Admin menu, click into the Workload Identity Federation tab, and click Create Pool.

    ![](https://storage.googleapis.com/prequel_docs/images/gcp_pool_create_pool.png\)

  2. Complete the details in the first step. For example, you may want to use a name like "transfer-service-pool" and a pool ID called "transfer-pool". Click Continue.

  3. Complete the details in the second step.

    1. For Select Provider, select AWS in the dropdown.

    2. For Provider Name, enter a descriptive name of your data source.

    3. For AWS Account ID, enter the Account ID (from the Prerequisite).

  4. Complete the third step, leave the provider attributes mapping as is by default. Finish creating the pool.

  5. In the overview of the created Workload Identity Pool, click Grant Access.

  6. In the menu that appears, complete the setup flow:

    1. Select Grant access using Service Account impersonation.

    2. In the dropdown, select the Service Account you created (from the Prerequisite).

    3. Enter the Service principals (identities that can access the Service Account):

      1. For the attribute name, select aws_role.
      2. For the attribute value, enter the AWS ARN (from the Prerequisite).

    4. Click Save.

  7. After saving, you will be able to download a JSON file of metadata. This is the metadata you will need to complete your connection.

Updated 7 days ago