Google Cloud Best practices for using workload identity federation

Workload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. With workload identity federation, we can do things like authenticating to Google Cloud by using an AWS EC2 instance profile or by using an Azure managed identity.

But there are also some things to watch out for. To use workload identity federation securely, we must configure it in a way that protects us from threats like:

  • Spoofing: A bad actor might attempt to spoof another user’s identity to gain unauthorized access to Google Cloud resources.
  • Privilege escalation: A bad actor might take advantage of workload identity federation to gain access to resources they otherwise wouldn’t have access to.
  • Non-repudiation: A bad actor might conceal their identity and actions by using external credentials that make it difficult to trace actions back to them.

In a new article, Best practices for using workload identity federation, I describe some of the best practices for deciding when to use workload identity federation, and how to configure it in a way that helps minimize risks.

For a full list of articles I’ve published on the Google Cloud website, see Articles on

Any opinions expressed on this blog are Johannes' own. Refer to the respective vendor’s product documentation for authoritative information.
« Back to home