Workload identity federation for the Google BigQuery, Google Cloud Pub/Sub, and Google Cloud Storage connections is supported by any identity provider that supports OpenID Connect (OIDC) or SAML 2.0.
These examples are for AWS with Amazon Cognito and for Microsoft Azure.
AWS
Configure workload identity federation in Amazon Cognito
-
Create an OIDC identity provider (IdP) with Cognito by following the instructions in the Amazon documentation:
For more information, see Getting started with Amazon Cognito.
-
Create a group and user in the IdP with the AWS console. Or you can use AWS CLI:
CLIENT_ID=YourClientId ISSUER_URL=https://cognito-idp.YourRegion.amazonaws.com/YourPoolId POOL_ID=YourPoolId USERNAME=YourUsername PASSWORD=YourPassword GROUPNAME=YourGroupName aws cognito-idp admin-create-user --user-pool-id $POOL_ID --username $USERNAME --temporary-password Temp-Pass1 aws cognito-idp admin-set-user-password --user-pool-id $POOL_ID --username $USERNAME --password $PASSWORD --permanent aws cognito-idp create-group --group-name $GROUPNAME --user-pool-id $POOL_ID aws cognito-idp admin-add-user-to-group --user-pool-id $POOL_ID --username $USERNAME --group-name $GROUPNAME
-
From the AWS console, click View Hosted UI and log in to the IDP UI in a browser to ensure that any new password challenge is resolved.
-
Get an IdToken with the AWS CLI:
aws cognito-idp admin-initiate-auth --auth-flow ADMIN_USER_PASSWORD_AUTH --client-id $CLIENT_ID --auth-parameters USERNAME=$USERNAME,PASSWORD=$PASSWORD --user-pool-id $POOL_ID
For more information on the Amazon Cognito User Pools authentication flow, see AdminInitiateAuth.
Configure Google Cloud for Amazon Cognito
When you create the provider in Google Cloud, use these settings:
- Set Issuer (URL) to
https://cognito-idp.YourRegion.amazonaws.com/YourPoolId
. - Set Allowed Audience to your client ID.
- Under Attribute Mapping, map
google.subject
toassertion.sub
.
Create the connection with Amazon Cognito workload identity federation
-
Choose the Workload Identity Federation with access token authentication method.
-
For the Security Token Service audience field, use this format:
//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
-
For the Service account e-mail, enter the email address of the Google service account to be impersonated. For more information, see Create a service account for the external workload.
-
(Optional) Specify a value for the Service account token lifetime in seconds. The default lifetime of a service account access token is one hour. For more information, see URL-sourced credentials.
-
Set Token format to
Text
-
Set Token type to
ID token
Azure
Configure workload identity federation in Azure
-
Set an Application ID URI for the application. You can use the default Application ID URI (
api://APPID
) or specify a custom URI.
You can skip the instructions on creating a managed identity. -
Follow the instructions to create a new application secret to get an access token with the REST API.
For more information, see Configure workload identity federation with Azure.
Configure Google Cloud for Azure
- Follow the instructions: Configure workload identity federation.
- Follow the instructions: Create the workload identity pool and provider.
When you configure the provider, use these settings:
- Set Issuer (URL) to
https://sts.windows.net/TENANTID/
, whereTENANTID
is the tenant ID that you received when you set up Azure Active Directory. - Set the Allowed audience to the client ID that you received when you set up the app registration. Or specify another Application ID URI that you used when you set up the application identity in Azure.
- Under Attribute Mapping, map
google.subject
toassertion.sub
.
- Set Issuer (URL) to
Create the connection with Azure workload identity federation
-
Choose one of these authentication methods:
- Workload Identity Federation with access token
- Workload Identity Federation with token URL
-
For the Security Token Service audience field, use the format that is described in Authenticate a workload that uses the REST API. For example:
//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
-
For the Service account e-mail, enter the email address of the Google service account to be impersonated. For more information, see Create a service account for the external workload.
-
(Optional) Specify a value for the Service account token lifetime in seconds. The default lifetime of a service account access token is one hour. For more information, see URL-sourced credentials.
-
If you specified Workload Identity Federation with token URL, use these values:
- Token URL:
https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token
. This URL will fetch a token from Azure. - HTTP method:
POST
- HTTP headers:
"Content-Type"="application/x-www-form-urlencoded;charset=UTF-8","Accept"="application/json"
- Request body:
grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&scope=APPLICATION_ID_URI/.default
- Token URL:
-
For Token type, select ID token for an identity provider that complies with the OpenID Connect (OIDC) specification. For information, see Token types.
-
The Token format option depends on that authentication selection:
- Workload Identity Federation with access token: Select Text if you supplied the raw token value in the Access token field.
- Workload Identity Federation with token URL: For a response from the token URL in JSON format with the access token that is returned in a field named
access_token
, use these settings:- Token format:
JSON
- Token field name:
access_token
- Token format: