Dealing with partial consent in Google OAuth clientsWhen we use a tool like gcloud or IAP Desktop for the first time, we need to authorize it. Google Sign-in then shows us a consent screen that lists all the things the tool might do on our behalf, and we can decide whether to consent or deny. But sometimes, we get a third option. Continue »
Retroactively analyzing more than 90 days of VM and sole-tenant node usageWhen we run License Tracker for the first time, the tool analyzes the last 90 days of audit logs to determine how many VMs and physical servers we’ve been using. Going back 90 days in history is useful, but can we go back further? Continue »
Tracking VM and sole-tenant node usage for license reportingWhen we bring our own Windows licenses to Google Cloud, we must keep track of the number of physical servers that we’re using those licenses on. By using sole-tenant nodes, we can control which nodes our VMs run on, but nodes aren’t the same as physical servers. Continue »
Best practices for using service accounts in deployment pipelinesTo deploy software or infrastructure automatically, many deployment pipelines need access to Google Cloud, so we let the pipelines use a service account. The more we rely on deployment pipelines and their service accounts, the more extensive and privileged their access to Google Cloud can become. And that creates new risks. Continue »
You can use libssh2 with CryptoNG… unless you need ECDSALibssh2 lets us choose between multiple different crypto backends. But that doesn’t mean these backends are interchangeable – there are also some functional differences. Continue »
Authenticating to Cloud Identity's LDAP interfaceSecure LDAP is a Cloud Identity feature that lets it emulate an LDAP server. From an application’s perspective, Secure LDAP makes Cloud Identity look somewhat similar to Active Directory – but authentication works a little differently. Continue »
Service account keys aren’t like AWS access keysAWS lets us use access keys to authenticate programmatically. That’s useful for local development, or if we want to let tools access AWS on our behalf. The closest thing to access keys on Google Cloud seem to be service account keys. But are they really that similar? Continue »
Enabling just-in-time access to Google Cloud resourcesThe principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? This is where just-in-time access can help. Continue »
Keeping track of SSH keys using IAP Desktop 2.26When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier. Continue »
Doing service account things without a service account keyBefore we deploy an application to Google Cloud, we typically want to test it locally. If the application uses Google Cloud APIs, then we somehow need to ensure that the application can authenticate. We could use a service account key for that, but there’s typically a better way. Continue »
Enforcing the use of OS Login for accessing Linux VMs on Google CloudGoogle Cloud lets us enable OS Login for a project by adding an entry to the project’s metadata. But is this approach sufficient to enforce OS Login for all VMs and users? Not really. Continue »
Docking and floating RDP windows in IAP Desktop 2.25IAP Desktop uses a UI that’s similar to Visual Studio – we can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows… until now. Continue »
Authenticating to Google Cloud using Integrated Windows Authentication, workload identity federation, and SAML-POSTPreviously, we explored two ways of authenticating to Google Cloud using Kerberos and NTLM credentials. Both ways involved authenticating to AD FS using Integrated Windows Authentication, and then using workload identity federation. But there’s a third way that we haven’t cover yet – and it involves using the SAML HTTP-POST binding. Continue »
Defining privileged accessPrivileged access is a term we commonly encounter in the realm of access management. The term seems pretty self-explanatory, but finding a good definition isn’t easy. Continue »
Authenticating to Google Cloud when all we have are Kerberos or NTLM credentialsWhen an application needs to access Google Cloud APIs, it needs credentials. On Google Cloud, we can attach a service account to the underlying compute resource to let the application obtain credentials. On AWS and Azure, we can achieve something to the same effect by using workload identity federation. But what about on-premises? Continue »
Using AD FS access tokens for workload identity federationWorkload identity federation supports OpenID Connect, so it should be compatible with AD FS. But until recently, workload identity federation didn’t work with AD FS-issued access tokens – only ID tokens worked properly. What was the issue there? Continue »
Using a CNG-backed key as service account key in JavaOne of the best ways to store a service account key on Windows is to use a CryptoNG key storage provider. That even works with Java. Continue »
Using domain-wide-delegation on Google Cloud without service account keysSome Google Cloud APIs don’t support service accounts and require us to use domain-wide delegation. But using domain-wide delegation doesn’t mean we have to use service account keys. Continue »
Using ECDSA keys for SSH public key authentication in IAP Desktop 2.23By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Using Identity-Aware-Proxy and JAX-RS to authenticate usersBy deploying a web application behind Identity-Aware-Proxy, we can ensure that an application only receives requests that are authenticated and satisfy the context-aware access rules we’ve configured. But there are still a few things that the web application needs to do itself. Continue »