GCPcloud~30 mins

Workload identity federation in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Workload Identity Federation Setup on GCP

📖 Scenario: You work for a company that wants to securely allow an application running outside Google Cloud to access Google Cloud resources without using long-lived service account keys. You will set up Workload Identity Federation to enable this secure access.

🎯 Goal: Set up Workload Identity Federation by creating a Google Cloud service account, configuring an identity pool, and establishing a provider that allows an external workload to authenticate and access Google Cloud resources securely.

📋 What You'll Learn

Create a Google Cloud service account named external-app-sa

Create an identity pool named external-identity-pool

Create a workload identity provider named external-provider in the identity pool

Configure the provider with the correct issuer URI and attribute mappings

Grant the service account the roles/storage.objectViewer role

Allow the identity pool members to impersonate the service account

💡 Why This Matters

🌍 Real World

Workload Identity Federation allows applications running outside Google Cloud to securely access Google Cloud resources without managing long-lived service account keys, improving security and operational efficiency.

💼 Career

Cloud engineers and security specialists use workload identity federation to implement secure, scalable authentication for hybrid and multi-cloud environments.

Progress0 / 4 steps

Create the Google Cloud service account

Use the gcloud command to create a service account named external-app-sa in your project. The command should be exactly: gcloud iam service-accounts create external-app-sa --display-name="External Application Service Account"

GCP

# Use the gcloud command below to create the service account
# Your code here

Need a hint?

Use the gcloud iam service-accounts create command with the exact service account name external-app-sa.

Create the identity pool

Create an identity pool named external-identity-pool using the gcloud command. Use the exact command:

gcloud iam workload-identity-pools create external-identity-pool --location="global" --display-name="External Identity Pool"

GCP

gcloud iam service-accounts create external-app-sa --display-name="External Application Service Account"
# Create the identity pool below
# Your code here

Need a hint?

Use gcloud iam workload-identity-pools create with the exact pool name external-identity-pool and location global.

Create the workload identity provider

Create a workload identity provider named external-provider in the identity pool external-identity-pool. Use the issuer URI https://accounts.google.com and map the attribute google.subject to assertion.sub. Use the exact command:

gcloud iam workload-identity-pools providers create-oidc external-provider --location="global" --workload-identity-pool="external-identity-pool" --display-name="External Provider" --issuer-uri="https://accounts.google.com" --attribute-mapping="google.subject=assertion.sub"

GCP

gcloud iam service-accounts create external-app-sa --display-name="External Application Service Account"
gcloud iam workload-identity-pools create external-identity-pool --location="global" --display-name="External Identity Pool"
# Create the workload identity provider below
# Your code here

Need a hint?

Use gcloud iam workload-identity-pools providers create-oidc with the exact provider name external-provider, issuer URI, and attribute mapping.

Grant roles and allow impersonation

Grant the service account external-app-sa the role roles/storage.objectViewer using gcloud projects add-iam-policy-binding. Then allow members of the identity pool to impersonate the service account by adding a binding with the member format principalSet://iam.googleapis.com/projects/-/locations/global/workloadIdentityPools/external-identity-pool/*. Use these exact commands:

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID --member="serviceAccount:external-app-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com" --role="roles/storage.objectViewer"

and

gcloud iam service-accounts add-iam-policy-binding external-app-sa@YOUR_PROJECT_ID.iam.gserviceaccount.com --member="principalSet://iam.googleapis.com/projects/-/locations/global/workloadIdentityPools/external-identity-pool/*" --role="roles/iam.workloadIdentityUser"

. Replace YOUR_PROJECT_ID with your actual project ID.

GCP

gcloud iam service-accounts create external-app-sa --display-name="External Application Service Account"
gcloud iam workload-identity-pools create external-identity-pool --location="global" --display-name="External Identity Pool"
gcloud iam workload-identity-pools providers create-oidc external-provider --location="global" --workload-identity-pool="external-identity-pool" --display-name="External Provider" --issuer-uri="https://accounts.google.com" --attribute-mapping="google.subject=assertion.sub"
# Grant roles and allow impersonation below
# Your code here

Need a hint?

Use gcloud projects add-iam-policy-binding to grant the storage object viewer role to the service account. Then use gcloud iam service-accounts add-iam-policy-binding to allow the identity pool members to impersonate the service account.