Bird
Raised Fist0
GCPcloud~5 mins

Workload identity federation in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Workload Identity Federation in Google Cloud?
Workload Identity Federation lets your applications outside Google Cloud securely access Google Cloud resources without using long-lived service account keys.
Click to reveal answer
beginner
How does Workload Identity Federation improve security compared to service account keys?
It avoids storing and managing long-lived keys by using short-lived tokens from external identity providers, reducing risk of key leaks.
Click to reveal answer
intermediate
Which external identity providers can be used with Workload Identity Federation?
Common providers include AWS, Azure, OIDC-compatible providers like Okta, and any provider that supports OpenID Connect tokens.
Click to reveal answer
intermediate
What is the role of a Workload Identity Pool in federation?
A Workload Identity Pool groups external identities and lets you define trust relationships and permissions for those identities to access Google Cloud.
Click to reveal answer
advanced
Describe the main steps to configure Workload Identity Federation for an external workload.
1. Create a Workload Identity Pool in Google Cloud. 2. Add a provider that trusts your external identity. 3. Create a service account and grant it roles. 4. Configure your external workload to request tokens from the provider and exchange them for Google credentials.
Click to reveal answer
What does Workload Identity Federation replace in Google Cloud authentication?
AOAuth client secrets
BUser passwords
CLong-lived service account keys
DAPI keys
Which protocol is commonly used by external identity providers in Workload Identity Federation?
AOpenID Connect (OIDC)
BFTP
CSMTP
DSOAP
What is a Workload Identity Pool used for?
AStoring service account keys
BConfiguring network firewalls
CManaging virtual machines
DGrouping external identities for trust and access control
Which of the following is NOT a benefit of Workload Identity Federation?
ARequires manual rotation of keys every 30 days
BAllows external workloads to access Google Cloud securely
CEliminates need to manage service account keys
DUses short-lived tokens for authentication
To use Workload Identity Federation, you must first:
ACreate a Google Cloud Storage bucket
BCreate a Workload Identity Pool in Google Cloud
CEnable the Compute Engine API
DGenerate a service account key file
Explain how Workload Identity Federation enhances security for external workloads accessing Google Cloud.
Think about how keys and tokens differ in security.
You got /4 concepts.
    Describe the main components and steps involved in setting up Workload Identity Federation in Google Cloud.
    Consider the flow from external identity to Google Cloud access.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of Workload Identity Federation in Google Cloud?
      easy
      A. Encrypt data stored in Google Cloud Storage
      B. Create virtual machines automatically
      C. Manage billing accounts for Google Cloud projects
      D. Allow external applications to access Google Cloud without using long-lived keys

      Solution

      1. Step 1: Understand Workload Identity Federation purpose

        It is designed to let external apps access Google Cloud resources securely without needing to manage long-lived service account keys.

      2. Step 2: Compare options with this purpose

        Only Allow external applications to access Google Cloud without using long-lived keys matches this purpose. Other options describe unrelated Google Cloud features.

      3. Final Answer:

        Allow external applications to access Google Cloud without using long-lived keys -> Option D

      4. Quick Check:

        Workload Identity Federation = Access without keys [OK]
      Hint: Remember: federation means access without keys [OK]
      Common Mistakes:
      • Confusing federation with VM creation
      • Thinking it manages billing
      • Assuming it encrypts storage data
      2. Which of the following is the correct way to create a workload identity pool using gcloud CLI?
      easy
      A. gcloud iam service-accounts create POOL_ID --project=my-project
      B. gcloud iam workload-identity-pools create POOL_ID --location=global
      C. gcloud compute instances create POOL_ID --zone=global
      D. gcloud storage buckets create POOL_ID --location=global

      Solution

      1. Step 1: Identify the correct gcloud command for workload identity pools

        The command to create a workload identity pool is under 'gcloud iam workload-identity-pools create' with a pool ID and location.

      2. Step 2: Check each option

        gcloud iam workload-identity-pools create POOL_ID --location=global matches the correct syntax. Options A, B, and D relate to other services like service accounts, compute instances, and storage buckets.

      3. Final Answer:

        gcloud iam workload-identity-pools create POOL_ID --location=global -> Option B

      4. Quick Check:

        Workload identity pool creation uses 'gcloud iam workload-identity-pools create' [OK]
      Hint: Look for 'iam workload-identity-pools create' command [OK]
      Common Mistakes:
      • Using compute or storage commands instead
      • Confusing service account creation with pool creation
      • Missing the --location flag
      3. Given this snippet to configure a workload identity provider: 
      gcloud iam workload-identity-pools providers create-oidc my-provider \
  --workload-identity-pool=my-pool \
  --issuer-uri=https://accounts.example.com \
  --allowed-audiences=example-audience
      What is the expected behavior after this command?
      medium
      A. It creates an OIDC provider in the specified pool trusting identities from the issuer URI
      B. It deletes the workload identity pool named my-pool
      C. It creates a service account named my-provider
      D. It sets IAM permissions for the service account

      Solution

      1. Step 1: Analyze the command purpose

        The command creates an OIDC identity provider inside a workload identity pool, specifying the issuer URI and allowed audiences.

      2. Step 2: Match behavior to options

        It creates an OIDC provider in the specified pool trusting identities from the issuer URI correctly describes creating a provider trusting external identities. Other options describe unrelated actions.

      3. Final Answer:

        It creates an OIDC provider in the specified pool trusting identities from the issuer URI -> Option A

      4. Quick Check:

        Provider creation = trust external issuer [OK]
      Hint: OIDC provider means trusting external issuer [OK]
      Common Mistakes:
      • Thinking it deletes pools
      • Confusing provider with service account creation
      • Assuming it sets IAM permissions directly
      4. You run this command to grant an external identity access to a service account: 
      gcloud iam service-accounts add-iam-policy-binding my-sa@my-project.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "principalSet://iam.googleapis.com/projects/123456789012/locations/global/workloadIdentityPools/my-pool/attribute.subject/my-app"
      But the external app still cannot access the service account. What is the most likely error?
      medium
      A. The service account does not exist
      B. The role roles/iam.workloadIdentityUser is invalid
      C. The member string format is incorrect or does not match the external identity
      D. The workload identity pool was deleted

      Solution

      1. Step 1: Check the member string format

        The member string must exactly match the external identity's attributes. A mismatch or typo will block access.

      2. Step 2: Verify other options

        The service account likely exists if the command ran. The role is valid. Pool deletion would cause different errors.

      3. Final Answer:

        The member string format is incorrect or does not match the external identity -> Option C

      4. Quick Check:

        Member string must match identity exactly [OK]
      Hint: Check member string matches external identity exactly [OK]
      Common Mistakes:
      • Using wrong member string format
      • Assuming role is invalid
      • Ignoring pool existence
      5. You want to allow an external CI/CD system to deploy to your Google Cloud project using workload identity federation. Which combination of steps is required to set this up securely?
      hard
      A. Create a workload identity pool and provider for the CI/CD system, then grant the provider access to a service account with minimal roles
      B. Create a service account key and share it with the CI/CD system, then assign owner role to the service account
      C. Create a VM instance and install the CI/CD system there with full project permissions
      D. Enable billing API and assign billing admin role to the CI/CD system

      Solution

      1. Step 1: Create workload identity pool and provider

        This lets the external CI/CD system authenticate without keys by trusting its identity.

      2. Step 2: Grant minimal permissions to a service account

        Assign only needed roles to the service account and allow the provider to impersonate it, following least privilege.

      3. Final Answer:

        Create a workload identity pool and provider for the CI/CD system, then grant the provider access to a service account with minimal roles -> Option A

      4. Quick Check:

        Use federation + minimal roles for secure access [OK]
      Hint: Use federation and least privilege roles [OK]
      Common Mistakes:
      • Sharing long-lived keys
      • Assigning overly broad roles
      • Using VM instead of federation
      • Confusing billing roles with access