Best practices for using workload identity federationWorkload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. That’s a useful and powerful feature, but there are some things to watch out for. Continue »
Using a Google Cloud service account to authenticate to AD FSBy using certificate-based authentication, we can let a Google Cloud service account authenticate to AD FS without having to manage any client secrets. Continue »
Using a Google Cloud service account to authenticate to KeyCloakA common way to let an application authenticate to KeyCloak is to use a client ID and secret. But when the application runs on Google Cloud, we can do better. Continue »
Using a Google Cloud service account and AssumeRoleWithWebIdentity to authenticate to AWS in C#In the last post we looked at how to set up a trust policy and role in AWS so that we can use a Google ID token to authenticate to AWS. But how do we actually use this in C#? Continue »
Authenticating to AWS by using a Google Cloud service account and AssumeRoleWithWebIdentityBy using workload identity federation, we can let applications use AWS credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on AWS and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to AWS? Continue »
Best practices for using sole-tenant nodes to run VM workloads on Google CloudWindows Server licensing is tricky, particularly if yur goal is to run Windows Server in the cloud and use existing licenses for it. But if you’re using Google Cloud’s sole-tenant nodes, a new best practices article can offer some help. Continue »
Deploying AD FS without domain admin privilegesBy default, installing AD FS requires domain admin access to Active Directory. But it’s possible to deploy AD FS in environments where we don’t have these privileges, like Google Cloud’s Managed Service for Microsoft Active Directory. Continue »
Authenticating to Google Cloud by using an AWS EC2 instance profile and workload identity federationWhen an application running on AWS needs access to Google APIs, we can use workload identity federation to let the application use its AWS credentials to authenticate to Google APIs. Unfortunately, the C# client library doesn’t support that yet, but we can fill that gap. Continue »
Authenticating to Azure by using Cloud KMS and client assertionsBy using workload identity federation, we can let applications use Azure credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on Azure and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to Azure APIs? Continue »
Authenticating to Google Cloud by using an Azure managed identity and workload identity federationWhen an application running on Azure needs access to Google APIs, we can use workload identity federation to let the application use its Azure credentials to authenticate to Google APIs. Unfortunately, the C# client library doesn’t support that yet, but we can fill that gap. Continue »
Managing IAP Desktop by using group policiesIAP Desktop 2.20 now lets you use group policies to ensure all users in your organization use consistent settings. Continue »
Playing certificate authority: Using Cloud KMS to sign certificate signing requestsLast time, we looked at how we can use a Cloud KMS asymmetric signing key to create a self-signed X.509 certificate. But we’re not limited to self-signed certificates. We can use Cloud KMS to sign other certificate signing requests too, just like a certificate authority (CA). Continue »
Using a Cloud KMS asymmetric signing key to create an X.509 certificateAfter you create an asymmetric signing key in Cloud KMS, you can download the key pair’s public key. The key is provided in PEM format – that’s pretty standard and all you need in many use cases. But especially when dealing with third party services, you sometimes need an X.509 certificate instead of a plain public key. Continue »
Best practices for managing service account keysService accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Continue »
Using IAM to control SSH and RDP accessWhenever we grant users SSH or RDP access to VM instances, we have to ensure that access is revoked when the user changes teams or leaves the organization. This is easier said than done. Continue »
Limiting the validity of service account keysWhen you create a service account key, Google Cloud doesn’t let you specify an expiry date. The key stays valid until you either delete the key or the entire service account. But there’s a way to limit the validity of a service account key. Continue »
Using a CNG-backed key as service account keyLast time, we looked at how you can use a CryptoAPI-backed key as a service account and use it to authenticate. Now let’s see how you can do the same with CNG. Continue »
Using a CryptoAPI-backed key as service account keyUsing service account keys to authenticate a service account is generally discouraged on Google Cloud, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, but you can also upload existing keys, including CryptoAPI-based keys. Continue »
Image creation on Google Cloud, part 2: Build processGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this second part of the series, let’s look at how the build process works. Continue »
Image creation on Google Cloud, part 1: Windows SetupGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this first part of the series, let’s review of how Windows Setup works. Continue »