google-workload-identity-federation

🔐 Google Cloud Workload Identity Federation Examples and How-To

APACHE-2.0 License

Stars
10
View Code on GitHub
Ecosystems: Actions

Workload Identity Federation

Service account keys are a security risk if compromised. Avoid service account keys and instead use the Workload Identity Federation. You can learn more about the best way to authenticate service accounts on Google Cloud in this repo.

Unlike JSON service account keys, Workload Identity Federation generates short-lived OAuth 2.0 or JWT credentials. By default, these credentials automatically expire one hour after they are created, potentially reducing the time a malicious actor would be able to exploit a compromised credential.

Because Workload Identity Federation uses short-lived credentials, there are no secrets to rotate or manage beyond the initial configuration.

graph TD;
  user(GitHub, GitLab etc...) --> |1| token[GCP Security Token Services];
  token <--> |2| pool[Workload Identity Pool]
  user --> |3| sa[Service Account];
  sa --> gcp[Google Cloud Platform Service]
  user -.-> pool
  pool -.-> sa

How-tos

Warning Update 2024/04/04: GitHub and GitLab SaaS use a single issuer URL across all organizations and some of the claims embedded in OIDC tokens might not be unique to your organization. To help protect against spoofing threats, you must use an attribute condition that restricts access to tokens issued by your GitHub organization or GitLab group. This How-To has been updated to take this into account.

Set up Identity Federation for:

You can check the settings in Google Cloud Console.

If you have understood the concept, you can also use my Terraform modules:

This Terraform IaC makes the setup much faster, easier, and less error prone.

Disable Service Account Keys

You can disabled the key creation for service accounts via the organization policy constraint: constraints/iam.disableServiceAccountKeyCreation

This organization policy constraint is not mandatory, but with it you can be sure that no one will create new service account keys and Workload Identity Federation will be used.

License

All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.

Portions of this repository are modifications based on work created and shared by Google and used according to terms described in the Creative Commons 4.0 Attribution License.

Please note:

  • No warranty
  • No official Google product
Badges
Extracted from project README
Badge: Google Cloud Badge: Terraform Badge: GitHub Badge: GitLab Badge: Bitbucket