• Grant on-premises/multi-cloud workloads access to Google Cloud resources
  • Removes need to Service Account keys
    • Powerful creds
    • Security risk
  • Workload Identity Pools
    • Entity to manage external identities
    • Recommended: new pool for each non-Google Cloud environment requiring access—e.g. dev, staging, prod etc.
  • Workload Identity Pool Providers
    • Describe relationship between Google Cloud and IdP
    • Options (any provider that supports OpenID Connect (OIDC)):
      • AWS
      • Azure Active Directory
      • On-prem Active Directory Federation Services (ADFS)
      • Okta
      • Kubernetes clusters
  • Follows OAuth 2.0 token exchange spec
    • Provide creds from IdP to Security Token Service—returns federated token
  • If workload doesn’t have public OIDC endpoint
    • Upload JSON Web Key Sets (JWKS) directly to pool
    • e.g. Terraform or GitHub Enterprise hosted in own environment
    • e.g. For regulator requirements

Service Account Impersonation

  • Use federated access token to obtain short-lived OAuth 2.0 access token
  • Use to impersonate service account
  • Grant external identity roles/iam.workloadIdentityUser on service account with roles required by workload

Graph View