GCPcloud~5 mins

Workload identity federation in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Workload identity federation lets your applications outside Google Cloud securely access Google Cloud resources without using long-lived service account keys. It solves the problem of managing and rotating keys by using trusted identity providers instead.

When you run applications on AWS or Azure and want them to access Google Cloud Storage without storing service account keys.

When you have on-premises servers that need to access Google Cloud BigQuery securely.

When you want to avoid managing service account keys for security reasons.

When you want to use short-lived credentials issued dynamically for Google Cloud access.

When you want to simplify authentication for CI/CD pipelines running outside Google Cloud.

Config File - workload_identity_pool.yaml

workload_identity_pool.yaml

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMWorkloadIdentityPool
metadata:
  name: example-pool
  namespace: gcp-resources
spec:
  description: "Example workload identity pool for external identities"
  disabled: false
  displayName: "Example Pool"
  location: global
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMWorkloadIdentityPoolProvider
metadata:
  name: example-provider
  namespace: gcp-resources
spec:
  workloadIdentityPoolRef:
    name: example-pool
  displayName: "Example Provider"
  description: "OIDC provider for external identities"
  oidc:
    issuerUri: https://accounts.google.com
  attributeMapping:
    "google.subject": "assertion.sub"
    "attribute.actor": "assertion.actor"
    "attribute.aud": "assertion.aud"

This YAML file creates a Workload Identity Pool named example-pool which acts as a container for external identities. It also creates a Workload Identity Pool Provider named example-provider that connects the pool to an external OpenID Connect (OIDC) identity provider, here Google Accounts. The attributeMapping maps claims from the external identity token to Google Cloud attributes used for authentication.

Commands

This command creates the workload identity pool and provider in Google Cloud using Config Connector. It sets up the trust relationship with the external identity provider.

Terminal

kubectl apply -f workload_identity_pool.yaml

Expected OutputExpected

iamworkloadidentitypool.iam.cnrm.cloud.google.com/example-pool created iamworkloadidentitypoolprovider.iam.cnrm.cloud.google.com/example-provider created

This command grants the workload identity pool permission to impersonate the Google Cloud service account named example-sa. This allows external identities from the pool to access resources as this service account.

Terminal

gcloud iam service-accounts add-iam-policy-binding example-sa@my-project.iam.gserviceaccount.com --role roles/iam.workloadIdentityUser --member "principalSet://iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/example-pool/*"

Expected OutputExpected

Updated IAM policy for serviceAccount [example-sa@my-project.iam.gserviceaccount.com].

→

--role - Specifies the IAM role to grant

→

--member - Specifies the identity or group to grant the role

This command uses an external identity token file to authenticate as the workload identity user. It obtains short-lived credentials to access Google Cloud resources.

Terminal

gcloud auth login --brief --cred-file=external-identity-token.json

Expected OutputExpected

Activated service account credentials for: [example-sa@my-project.iam.gserviceaccount.com]

→

--cred-file - Specifies the external identity token file to use

This command lists the storage buckets in the project using the authenticated credentials from workload identity federation.

Terminal

gcloud storage buckets list --project=my-project

Expected OutputExpected

NAME LOCATION STORAGE CLASS example-bucket US STANDARD

→

--project - Specifies the Google Cloud project to list buckets from

Key Concept

If you remember nothing else from this pattern, remember: workload identity federation lets external apps securely access Google Cloud without storing service account keys by trusting external identities.

Common Mistakes

Not granting the workload identity pool permission to impersonate the service account.

Without this permission, external identities cannot access Google Cloud resources as the service account.

Use gcloud iam service-accounts add-iam-policy-binding to grant roles/iam.workloadIdentityUser to the workload identity pool.

Using expired or invalid external identity tokens for authentication.

Authentication will fail because tokens must be valid and trusted by the workload identity provider.

Ensure tokens are fresh and issued by the configured external identity provider.

Misconfiguring attribute mappings in the workload identity pool provider.

Incorrect mappings prevent Google Cloud from recognizing external identities properly.

Map external token claims correctly to Google attributes like google.subject.

Summary

Create a workload identity pool and provider to trust external identities.

Grant the pool permission to impersonate a Google Cloud service account.

Authenticate using external identity tokens to get short-lived credentials.

Use these credentials to access Google Cloud resources securely.