Workload identity federation examples

Workload identity federation for the Google BigQuery, Google Cloud Pub/Sub, and Google Cloud Storage connections is supported by any identity provider that supports OpenID Connect (OIDC) or SAML 2.0.

These examples are for AWS with Amazon Cognito and for Microsoft Azure.

AWS

Configure workload identity federation in Amazon Cognito

  1. Create an OIDC identity provider (IdP) with Cognito by following the instructions in the Amazon documentation:

    For more information, see Getting started with Amazon Cognito.

  2. Create a group and user in the IdP with the AWS console. Or you can use AWS CLI:

    CLIENT_ID=YourClientId
    ISSUER_URL=https://cognito-idp.YourRegion.amazonaws.com/YourPoolId
    POOL_ID=YourPoolId
    USERNAME=YourUsername
    PASSWORD=YourPassword
    GROUPNAME=YourGroupName
    
    aws cognito-idp admin-create-user --user-pool-id $POOL_ID --username $USERNAME --temporary-password Temp-Pass1
    aws cognito-idp admin-set-user-password --user-pool-id $POOL_ID --username $USERNAME --password $PASSWORD --permanent
    aws cognito-idp create-group --group-name $GROUPNAME --user-pool-id $POOL_ID
    aws cognito-idp admin-add-user-to-group --user-pool-id $POOL_ID --username $USERNAME --group-name $GROUPNAME
    
  3. From the AWS console, click View Hosted UI and log in to the IDP UI in a browser to ensure that any new password challenge is resolved.

  4. Get an IdToken with the AWS CLI:

    aws cognito-idp admin-initiate-auth --auth-flow ADMIN_USER_PASSWORD_AUTH --client-id $CLIENT_ID --auth-parameters USERNAME=$USERNAME,PASSWORD=$PASSWORD --user-pool-id $POOL_ID
    

    For more information on the Amazon Cognito User Pools authentication flow, see AdminInitiateAuth.

Configure Google Cloud for Amazon Cognito

When you create the provider in Google Cloud, use these settings:

  • Set Issuer (URL) to https://cognito-idp.YourRegion.amazonaws.com/YourPoolId.
  • Set Allowed Audience to your client ID.
  • Under Attribute Mapping, map google.subject to assertion.sub.

Create the connection with Amazon Cognito workload identity federation

  1. Choose the Workload Identity Federation with access token authentication method.

  2. For the Security Token Service audience field, use this format:

    //iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
    
  3. For the Service account e-mail, enter the email address of the Google service account to be impersonated. For more information, see Create a service account for the external workload.

  4. (Optional) Specify a value for the Service account token lifetime in seconds. The default lifetime of a service account access token is one hour. For more information, see URL-sourced credentials.

  5. Set Token format to Text

  6. Set Token type to ID token

Azure

Configure workload identity federation in Azure

  1. Create an Azure AD application and service principal.

  2. Set an Application ID URI for the application. You can use the default Application ID URI (api://APPID) or specify a custom URI.

    You can skip the instructions on creating a managed identity.

  3. Follow the instructions to create a new application secret to get an access token with the REST API.

    For more information, see Configure workload identity federation with Azure.

Configure Google Cloud for Azure

  1. Follow the instructions: Configure workload identity federation.
  2. Follow the instructions: Create the workload identity pool and provider. When you configure the provider, use these settings:
    • Set Issuer (URL) to https://sts.windows.net/TENANTID/, where TENANTID is the tenant ID that you received when you set up Azure Active Directory.
    • Set the Allowed audience to the client ID that you received when you set up the app registration. Or specify another Application ID URI that you used when you set up the application identity in Azure.
    • Under Attribute Mapping, map google.subject to assertion.sub.

Create the connection with Azure workload identity federation

  1. Choose one of these authentication methods:

    • Workload Identity Federation with access token
    • Workload Identity Federation with token URL
  2. For the Security Token Service audience field, use the format that is described in Authenticate a workload that uses the REST API. For example:

    //iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
    
  3. For the Service account e-mail, enter the email address of the Google service account to be impersonated. For more information, see Create a service account for the external workload.

  4. (Optional) Specify a value for the Service account token lifetime in seconds. The default lifetime of a service account access token is one hour. For more information, see URL-sourced credentials.

  5. If you specified Workload Identity Federation with token URL, use these values:

    • Token URL: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/token. This URL will fetch a token from Azure.
    • HTTP method: POST
    • HTTP headers: "Content-Type"="application/x-www-form-urlencoded;charset=UTF-8","Accept"="application/json"
    • Request body: grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&scope=APPLICATION_ID_URI/.default
  6. For Token type, select ID token for an identity provider that complies with the OpenID Connect (OIDC) specification. For information, see Token types.

  7. The Token format option depends on that authentication selection:

    • Workload Identity Federation with access token: Select Text if you supplied the raw token value in the Access token field.
    • Workload Identity Federation with token URL: For a response from the token URL in JSON format with the access token that is returned in a field named access_token, use these settings:
      • Token format: JSON
      • Token field name: access_token

Learn more