Using domain-wide delegation without service account keys, Java editionSome Google APIs don’t support service accounts. To use them in an unattended scenario, we have to use domain-wide delegation. That adds some complexity, but doesn’t require a service account key. Continue »
Given an OAuth Client ID, how to find the corresponding Google Cloud projectThe Client Id gives it away, mostly. Continue »
Using Workforce Identity Federation and Entra App roles to control access to Google CloudManaging access to Google Cloud resources at scale is difficult without groups. But passing group memberships from Entra ID to Google Cloud comes with its own set of challenges, and a better option is to use App roles. Continue »
JIT Groups, or what's next for the JIT Access projectWith Privileged Access Manager in public preview now, there’s little reason to maintain an open-source project that largely provides the same capabilities. But that doesn’t mean JIT Access is going away – instead, the project is changing focus, and its name too. Continue »
Best practices for securing SSH access to VM instancesAllowing users to connect to Google Cloud VMs using SSH is convenient and often unavoidable. But it’s not without risks. Continue »
Using libssh2 with CryptoNG and ECDSAUntil recently, libssh2’s CryptoNG backend didn’t support ECDSA. But now it does. Continue »
Consent screens and the impact of administrative controlsWhen users sign in to an application that uses Google OAuth or OpenID Connect, they typically see a consent screen. But there’s more than one type of consent screen, and the type of consent screen that users end up seeing not only depends on the publisher, but also on the administrative controls applied on the consumer side Continue »
Authenticating to Google Cloud from Azure App ServicesUsing workload identity federation, we can let Azure-hosted applications authenticate to Google Cloud using their managed identity. That also works for Azure App Services, but it requires a little extra work. Continue »
Microsoft recommending IAP DesktopMicrosoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice. Continue »
Using Integrated Windows Authentication over a Google Cloud load balancerModern web applications typically use OAuth or OpenID Connect to authenticate users, but older intranet applications often still rely on Integrated Windows Authentication to deliver a single sign-on experience for users. When we migrate such an application to Google Cloud, we must be careful to choose the right load balancer, otherwise authentication might fail in subtle ways. Continue »
Authenticating to Google Cloud from an AWS Lambda functionUsing workload identity federation, we can let an AWS-hosted application authenticate to Google Cloud using its AWS credentials. That also works for Lambda functions. Continue »
Authenticate workloads and devices to Google Cloud using mTLSBy combining workload identity federation with a token broker, we can enable workloads and devices to authenticate to Google Cloud using all sorts of credentials, including X.509 client certificates. Continue »
Extending a platform or service to support workload identity federationWorkload identity federation isn’t limited to authenticating workloads between cloud providers. There are many other scenarios where it can be useful to use workload identity federation instead of service account keys. Not all platforms or services support workload identity federation, but it’s not too difficult to change that. Continue »
Using one OAuth client to get ID tokens for another clientWhat to do if we have a set of tokens issued to one Google OAuth client, but we need an ID token for another OAuth client? Continue »
All access tokens aren't created equalWhenever we want to call a Google or Google Cloud API, we need an access token. But there’s more than one way to obtain an access token, and depending on which way we use, the resulting access token might behave a little differently. What kinds of access tokens are there, and how do they differ? Continue »
Multi-party approval with JIT Access 1.2With the latest version of Just-in-Time access, we can now demand that users seek approval from a peer before they can activate certain roles. Continue »
New documentation and tool support for authenticating to Google Cloud from an Active Directory environmentWhen an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment, there’s a better alternative – we can let it use its domain credentials and “exchange” them against Google credentials. That doesn’t even require custom code anymore. Continue »
JIT Access 1.1 now supports inherited roles and has a new UIWith Just-in-Time Access, we can implement just-in-time privileged access management on Google Cloud by allowing users to temporarily elevate their access to certain projects. But a key limitation of the initial release of JIT Access was that it didn’t support inherited role bindings. Version 1.1 removes this limitation and features a new UI. Continue »
Which project's quota are my API calls charged against?Any call we make against a Google API is charged against a project quota. Depending on the API that we’re using, that project quota might limit the frequency of calls, the total number of calls, or even the number of calls per user. But which project’s quota is it that’s being charged? Continue »
Granting a service account just enough access to manage a Cloud Identity groupTo implement role-based access control to Google Cloud resources, it’s often useful to create a set of groups, where each group represents a role for a certain set of resources. But how can we automate the management of these groups, without granting our automation too much access? Continue »