Log in to FlakeHub from Google Cloud Platform (GCP)

Use Google Cloud Platform’s Identity and Access Management to log in to a FlakeHub organization and access private flakes and artifacts cached in FlakeHub Cache without managing tokens.

Security considerations

Authenticating to FlakeHub with a GCP Service Account currently grants read-only privileges to all sources and cached artifacts in the associated FlakeHub organization. FlakeHub only needs the Service Account’s email address to authenticate.

Setup

Identify the service account

Look up the service account for your GCP resource. You can find this in the console, or through the metadata API:

Query the GCP metadata API for the current service account


curl -H 'Metadata-Flavor: Google' \
  http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email

The account identifier should look something like this:

Example GCP account identifier


123456789-compute@developer.gserviceaccount.com

Register the trust relationship

Register the Service Account email under the GCP IDs section of your FlakeHub organization’s settings at the URL with this form:

https://flakehub.com/:org/settings?editview=gcp-ids

staticrequired

Give the trust relationship a short name, such. as dev/ephemeral-vm. These names can be alphanumeric and can contain dashes and up to one slash.

Click Add.

Copy the Full Resource Name

The Full Resource Name (FRN) is used by Determinate Nixd to identify the trust relationship. It should look something like this:

Example Full Resource Name for GCP


frn:flakehub:gcp-delegated:DeterminateSystems::dev/ephemeral-vm

Log in from within GCP

Once the initial setup is complete, you can log in:

Example login command for GCP


determinate-nixd login gcp \
  --frn frn:flakehub:gcp-delegated:DeterminateSystems::dev/ephemeral-vm

Determinate is now authenticated with FlakeHub using the bound Service Account.