GCP - TrueFoundry Docs

TrueFoundry supports integrating with multiple GCP services like GCS, GKE, GCR, GSM, GCP Models etc. To integrate any of the above services, you simply need to add your GCP account as a provider account and add integrations for the same as shown below:

Share access with users, teams or everyone in your TrueFoundry account As shown in the previous slides, you can share access of each integration with users, teams or everyone in your TrueFoundry account. This would allow them to view and use the integration. Only tenant-admins can edit the integrations.

Create a custom serviceaccount

Service Account Key
Workload Identity Federation
AWS IAM ARN

Step 1 — Create a GCP IAM Service AccountCreate an IAM service account (name can be anything but add a prefix tfy to differentiate it with others).

export GCP_PROJECT_ID=<GCP_PROJECT_ID>
export GSA_NAME=<GCP_SERVICE_ACCOUNT_NAME>

gcloud iam service-accounts create $GSA_NAME \
  --project="$GCP_PROJECT_ID" \
  --display-name="$GSA_NAME"

Step 2 — Create a JSON Key for the Service AccountGenerate a JSON key file for the service account. This key will be used to authenticate the service account in TrueFoundry.

export GSA_EMAIL=$GSA_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com

gcloud iam service-accounts keys create $GSA_NAME-key.json \
  --iam-account="$GSA_EMAIL" \
  --project="$GCP_PROJECT_ID"

The generated $GSA_NAME-key.json file is what you will provide in TrueFoundry when adding the GCP provider account.Step 3 — (Optional) Workflow Propeller BindingIf you are using the workflow propeller, add the following binding to the service account:

gcloud iam service-accounts add-iam-policy-binding $GSA_EMAIL \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:$GCP_PROJECT_ID.svc.id.goog[tfy-workflow-propeller/flytepropeller]" \
    --project $GCP_PROJECT_ID

Workload Identity Federation (WIF) lets TrueFoundry authenticate to Google Cloud without service account keys, even when running outside of GKE — for example, on Amazon EKS, Azure AKS, or on-premises Kubernetes clusters. It works by exchanging a short-lived Kubernetes service account token for a Google Cloud access token through Google’s Security Token Service.

Workload Identity Federation is the recommended approach for production deployments running outside of GKE. It eliminates long-lived service account keys while supporting any Kubernetes environment.

Inputs required:

GCP_PROJECT_ID — Your GCP project ID
PROJECT_NUMBER — Your GCP project number
POOL_NAME — Name for the Workload Identity Pool (e.g. tfy-<cluster-name>-pool)
PROVIDER_NAME — Name for the Workload Identity Provider (e.g. tfy-<cluster-name>-provider)
GSA_NAME — Name for the Google Cloud service account (e.g. tfy-<cluster-name>-platform)
OIDC_ISSUER_URL — The OIDC issuer URL of your Kubernetes cluster (for EKS: aws eks describe-cluster --name <CLUSTER_NAME> --query "cluster.identity.oidc.issuer" --output text)
NAMESPACE — Kubernetes namespace where the TrueFoundry service account runs (for TrueFoundry SAAS, use truefoundry)
KSA_NAME — Kubernetes service account name used by TrueFoundry (for TrueFoundry SAAS, use truefoundry)

export GCP_PROJECT_ID=<GCP_PROJECT_ID>
export PROJECT_NUMBER=<GCP_PROJECT_NUMBER>
export POOL_NAME=tfy-<cluster-name>-pool
export PROVIDER_NAME=tfy-<cluster-name>-provider
export GSA_NAME=tfy-<cluster-name>-platform
export OIDC_ISSUER_URL=<OIDC_ISSUER_URL>
export NAMESPACE=<NAMESPACE>
export KSA_NAME=<KSA_NAME>
export GSA_EMAIL=$GSA_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com

Step 1 — Create a Workload Identity Pool

gcloud iam workload-identity-pools create $POOL_NAME \
  --location="global" \
  --description="Workload identity pool for TrueFoundry" \
  --display-name="$POOL_NAME" \
  --project="$GCP_PROJECT_ID"

Step 2 — Create a Workload Identity ProviderThe --issuer-uri must be the OIDC issuer URL of your Kubernetes cluster. The --attribute-condition restricts which Kubernetes service accounts can use this provider.

gcloud iam workload-identity-pools providers create-oidc $PROVIDER_NAME \
  --location="global" \
  --workload-identity-pool="$POOL_NAME" \
  --issuer-uri="$OIDC_ISSUER_URL" \
  --attribute-mapping="google.subject=assertion.sub,attribute.namespace=assertion['kubernetes.io']['namespace'],attribute.service_account_name=assertion['kubernetes.io']['serviceaccount']['name']" \
  --attribute-condition="assertion.sub == 'system:serviceaccount:$NAMESPACE:$KSA_NAME'" \
  --project="$GCP_PROJECT_ID"

Step 3 — Create a Google Cloud Service Account

gcloud iam service-accounts create $GSA_NAME \
  --project="$GCP_PROJECT_ID" \
  --display-name="$GSA_NAME"

Step 4 — Allow the Federated Identity to Impersonate the Service AccountGrant the roles/iam.workloadIdentityUser role so the Kubernetes service account (via the workload identity pool) can impersonate the Google Cloud service account:

gcloud iam service-accounts add-iam-policy-binding $GSA_EMAIL \
  --member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/subject/system:serviceaccount:$NAMESPACE:$KSA_NAME" \
  --role="roles/iam.workloadIdentityUser" \
  --project="$GCP_PROJECT_ID"

Optionally, to allow all service accounts in a namespace (instead of a single one), use principalSet:

gcloud iam service-accounts add-iam-policy-binding $GSA_EMAIL \
  --member="principalSet://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/attribute.namespace/$NAMESPACE" \
  --role="roles/iam.workloadIdentityUser" \
  --project="$GCP_PROJECT_ID"

Step 5 — Generate the Credential Configuration FileThis is the file you will provide in TrueFoundry when configuring the GCP provider account.

gcloud iam workload-identity-pools create-cred-config \
  projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/providers/$PROVIDER_NAME \
  --service-account=$GSA_EMAIL \
  --credential-source-file=/token \
  --credential-source-type=text \
  --output-file=credential-configuration.json

The generated credential-configuration.json file contains "type": "external_account" describing the identity pool, audience, and STS token-exchange endpoints. It is not a private key. Provide this file in TrueFoundry under Workload Identity Federation file when adding the GCP provider account.

This method allows an AWS IAM role to authenticate to Google Cloud using Workload Identity Federation with AWS as the identity provider. This is useful when TrueFoundry is running on AWS (e.g. EKS) and you want to access GCP services using an AWS IAM role ARN instead of managing GCP service account keys.

This approach uses AWS STS GetCallerIdentity as the credential source, so it works with any AWS IAM role — including roles assumed via IRSA (IAM Roles for Service Accounts) on EKS.

Inputs required:

GCP_PROJECT_ID — Your GCP project ID
PROJECT_NUMBER — Your GCP project number
POOL_NAME — Name for the Workload Identity Pool (e.g. tfy-<cluster-name>-aws-pool)
PROVIDER_NAME — Name for the Workload Identity Provider (e.g. tfy-<cluster-name>-aws-provider)
GSA_NAME — Name for the Google Cloud service account (e.g. tfy-<cluster-name>-platform)
AWS_ACCOUNT_ID — Your AWS account ID (e.g. 123456789012)
AWS_IAM_ROLE_ARN — The ARN of the AWS IAM role (e.g. arn:aws:iam::123456789012:role/my-truefoundry-role)
AWS_IAM_ROLE_NAME — The name of the AWS IAM role (e.g. my-truefoundry-role)

export GCP_PROJECT_ID=<GCP_PROJECT_ID>
export PROJECT_NUMBER=<GCP_PROJECT_NUMBER>
export POOL_NAME=tfy-<cluster-name>-aws-pool
export PROVIDER_NAME=tfy-<cluster-name>-aws-provider
export GSA_NAME=tfy-<cluster-name>-platform
export AWS_IAM_ROLE_ARN=<AWS_IAM_ROLE_ARN>
export AWS_IAM_ROLE_NAME=<AWS_IAM_ROLE_NAME>
export AWS_ACCOUNT_ID=<AWS_ACCOUNT_ID>
export GSA_EMAIL=$GSA_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com

Step 1 — Create a Workload Identity Pool

gcloud iam workload-identity-pools create $POOL_NAME \
  --location="global" \
  --description="Workload identity pool for AWS" \
  --display-name="$POOL_NAME" \
  --project="$GCP_PROJECT_ID"

Step 2 — Create an AWS Workload Identity Provider

gcloud iam workload-identity-pools providers create-aws $PROVIDER_NAME \
  --location="global" \
  --workload-identity-pool="$POOL_NAME" \
  --account-id="$AWS_ACCOUNT_ID" \
  --attribute-mapping="google.subject=assertion.arn,attribute.aws_role=assertion.arn.extract('/assumed-role/{role}/')" \
  --attribute-condition='assertion.arn.startsWith("arn:aws:sts::$AWS_ACCOUNT_ID:assumed-role/$AWS_IAM_ROLE_NAME/")'
  --attribute-condition="assertion.arn == '$AWS_IAM_ROLE_ARN'" \
  --project="$GCP_PROJECT_ID"

Step 3 — Create a Google Cloud Service Account

gcloud iam service-accounts create $GSA_NAME \
  --project="$GCP_PROJECT_ID" \
  --display-name="$GSA_NAME"

Step 4 — Allow the AWS IAM Role to Impersonate the GCP Service AccountGrant the roles/iam.workloadIdentityUser role so the AWS IAM role (via the workload identity pool) can impersonate the Google Cloud service account:

gcloud iam service-accounts add-iam-policy-binding $GSA_EMAIL \
  --member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/subject/$AWS_IAM_ROLE_ARN" \
  --role="roles/iam.workloadIdentityUser" \
  --project="$GCP_PROJECT_ID"

Step 5 — Generate the Credential Configuration File

gcloud iam workload-identity-pools create-cred-config \
  projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/providers/$PROVIDER_NAME \
  --service-account=$GSA_EMAIL \
  --aws \
  --output-file=credential-configuration.json

The generated credential-configuration.json uses AWS STS GetCallerIdentity as the credential source and exchanges it for a Google Cloud access token. Provide this file in TrueFoundry under Workload Identity Federation file when adding the GCP provider account.

Integrations

Google Cloud Storage Integration

Follow the steps below to connect GCS storage to TrueFoundry:

Create a GCP bucket.
- Make sure to add the lifecycle configurations on the bucket to delete multipart upload after 7 days.
- For this go to GCP bucket -> Lifecycle -> Add a rule
- Select Delete multi-part upload for 7 days
We also need to add the CORS policy to the GCP bucket. Right now adding the CORS policy to the GCP bucket is not possible through the console so for this, we will use gsutil
1. Create a file called cors.json using the below command
cat > cors.json <<EOF [ { "origin": ["*"], "method": ["GET", "POST", "PUT"], "maxAgeSeconds": 3600 } ] EOF
1. Attach the above CORS policy to the service account by running the following command using gsutils
gsutil cors set cors.json gs://BUCKET_NAME

Create a custom IAM role with the following permissions and add to the serviceaccount created above:

[
  "storage.objects.create",
  "storage.objects.delete",
  "storage.objects.get",
  "storage.objects.list",
  "storage.objects.update",
  "storage.buckets.create",
  "storage.buckets.get",
  "storage.buckets.list",
  "storage.buckets.create",
  "storage.buckets.update",
  "storage.multipartUploads.create",
  "storage.multipartUploads.list",
  "storage.multipartUploads.listParts",
  "storage.multipartUploads.abort",
  "resourcemanager.projects.get",
];

Add the following IAM condition - resource.name.startsWith('projects/\_/buckets/<bucket name>}')
Navigate to Integrations tab and follow the steps shown the previous demo to integrate your storage.

Google Artifact Registry Integration

Create a custom IAM role with the following permissions and add to the serviceaccount created above:

[
  "artifactregistry.dockerimages.get",
  "artifactregistry.dockerimages.list",
  "artifactregistry.locations.get",
  "artifactregistry.locations.list",
  "artifactregistry.repositories.get",
  "artifactregistry.repositories.list",
  "artifactregistry.repositories.create",
  "artifactregistry.repositories.createTagBinding",
  "artifactregistry.repositories.delete",
  "artifactregistry.repositories.deleteArtifacts",
  "artifactregistry.repositories.deleteTagBinding",
  "artifactregistry.repositories.downloadArtifacts",
  "artifactregistry.repositories.get",
  "artifactregistry.repositories.getIamPolicy",
  "artifactregistry.repositories.list",
  "artifactregistry.repositories.listEffectiveTags",
  "artifactregistry.repositories.listTagBindings",
  "artifactregistry.repositories.update",
  "artifactregistry.repositories.uploadArtifacts",
  "artifactregistry.tags.get",
  "artifactregistry.tags.list",
  "artifactregistry.tags.create",
  "artifactregistry.tags.update",
  "artifactregistry.versions.get",
  "artifactregistry.versions.list",
  "artifactregistry.versions.delete",
];

Navigate to Integrations tab and follow the steps shown the previous demo to integrate your Artifact registry.

Google Secrets Manager Integration

Create a custom IAM role with the following permissions and add to the serviceaccount created above:

[
  "secretmanager.secrets.get",
  "secretmanager.secrets.list",
  "secretmanager.secrets.create",
  "secretmanager.secrets.delete",
  "secretmanager.secrets.update",
  "secretmanager.versions.access",
  "secretmanager.versions.list",
  "secretmanager.versions.get",
  "secretmanager.versions.add",
  "secretmanager.versions.destroy",
  "resourcemanager.projects.get",
];

Add the following IAM condition- resource.name.startsWith('projects/<GCP Project Number>/secrets/tfy')
Navigate to Integrations tab and follow the steps shown the previous demo to integrate your secret manager.

Google GKE Cluster Integration

Create a custom IAM role with the following permissions and add to the serviceaccount created above:

[
  "container.clusters.get",
  "container.clusters.list",
  "container.clusters.update",
  "container.nodes.delete",
  "container.nodes.list",
  "container.nodes.get",
  "container.nodes.getStatus",
  "container.nodes.list",
  "container.operations.get",
  "resourcemanager.projects.get",
];

Navigate to Integrations tab and follow the steps shown the previous demo to integrate your GKE cluster.

Google Vertex Model Integration

Create the GCP Provider Account as described in the demo at the top of this document.
Create a custom IAM role with the following permission and add to the serviceaccount created above:
["aiplatform.endpoints.predict"];
Navigate to Integrations tab and edit the GCP Provider Account previously created and add the required models using their model id and they should start showing up in the AI Gateway. Here’s an example of adding gemini-1.5-flash-001.

​Create a custom serviceaccount

​Integrations

Create a custom serviceaccount

Integrations