Authenticate workloads and devices to Google Cloud using mTLSBy combining workload identity federation with a token broker, we can enable workloads and devices to authenticate to Google Cloud using all sorts of credentials, including X.509 client certificates. Continue »
Extending a platform or service to support workload identity federationWorkload identity federation isn’t limited to authenticating workloads between cloud providers. There are many other scenarios where it can be useful to use workload identity federation instead of service account keys. Not all platforms or services support workload identity federation, but it’s not too difficult to change that. Continue »
Using one OAuth client to get ID tokens for another clientWhat to do if we have a set of tokens issued to one Google OAuth client, but we need an ID token for another OAuth client? Continue »
All access tokens aren't created equalWhenever we want to call a Google or Google Cloud API, we need an access token. But there’s more than one way to obtain an access token, and depending on which way we use, the resulting access token might behave a little differently. What kinds of access tokens are there, and how do they differ? Continue »
Multi-party approval with JIT Access 1.2With the latest version of Just-in-Time access, we can now demand that users seek approval from a peer before they can activate certain roles. Continue »
New documentation and tool support for authenticating to Google Cloud from an Active Directory environmentWhen an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment, there’s a better alternative – we can let it use its domain credentials and “exchange” them against Google credentials. That doesn’t even require custom code anymore. Continue »
JIT Access 1.1 now supports inherited roles and has a new UIWith Just-in-Time Access, we can implement just-in-time privileged access management on Google Cloud by allowing users to temporarily elevate their access to certain projects. But a key limitation of the initial release of JIT Access was that it didn’t support inherited role bindings. Version 1.1 removes this limitation and features a new UI. Continue »
Granting a service account just enough access to manage a Cloud Identity groupTo implement role-based access control to Google Cloud resources, it’s often useful to create a set of groups, where each group represents a role for a certain set of resources. But how can we automate the management of these groups, without granting our automation too much access? Continue »
Using Fiddler to inspect Java client library requestsWhen developing applications that use the Google Cloud API, being able to trace and inspect HTTP requests with a tool like Fiddler can be a great debugging aid. But getting Fiddler to work with the Java client libraries can be a bit tricky. Continue »
Dealing with partial consent in Google OAuth clientsWhen we use a tool like gcloud or IAP Desktop for the first time, we need to authorize it. Google Sign-in then shows us a consent screen that lists all the things the tool might do on our behalf, and we can decide whether to consent or deny. But sometimes, we get a third option. Continue »
Best practices for using service accounts in deployment pipelinesTo deploy software or infrastructure automatically, many deployment pipelines need access to Google Cloud, so we let the pipelines use a service account. The more we rely on deployment pipelines and their service accounts, the more extensive and privileged their access to Google Cloud can become. And that creates new risks. Continue »
Authenticating to Cloud Identity's LDAP interfaceSecure LDAP is a Cloud Identity feature that lets it emulate an LDAP server. From an application’s perspective, Secure LDAP makes Cloud Identity look somewhat similar to Active Directory – but authentication works a little differently. Continue »
Service account keys aren’t like AWS access keysAWS lets us use access keys to authenticate programmatically. That’s useful for local development, or if we want to let tools access AWS on our behalf. The closest thing to access keys on Google Cloud seem to be service account keys. But are they really that similar? Continue »
Enabling just-in-time access to Google Cloud resourcesThe principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? This is where just-in-time access can help. Continue »
Doing service account things without a service account keyBefore we deploy an application to Google Cloud, we typically want to test it locally. If the application uses Google Cloud APIs, then we somehow need to ensure that the application can authenticate. We could use a service account key for that, but there’s typically a better way. Continue »
Authenticating to Google Cloud using Integrated Windows Authentication, workload identity federation, and SAML-POSTPreviously, we explored two ways of authenticating to Google Cloud using Kerberos and NTLM credentials. Both ways involved authenticating to AD FS using Integrated Windows Authentication, and then using workload identity federation. But there’s a third way that we haven’t cover yet – and it involves using the SAML HTTP-POST binding. Continue »
Authenticating to Google Cloud when all we have are Kerberos or NTLM credentialsWhen an application needs to access Google Cloud APIs, it needs credentials. On Google Cloud, we can attach a service account to the underlying compute resource to let the application obtain credentials. On AWS and Azure, we can achieve something to the same effect by using workload identity federation. But what about on-premises? Continue »
Using AD FS access tokens for workload identity federationWorkload identity federation supports OpenID Connect, so it should be compatible with AD FS. But until recently, workload identity federation didn’t work with AD FS-issued access tokens – only ID tokens worked properly. What was the issue there? Continue »
Using a CNG-backed key as service account key in JavaOne of the best ways to store a service account key on Windows is to use a CryptoNG key storage provider. That even works with Java. Continue »
Using domain-wide-delegation on Google Cloud without service account keysSome Google Cloud APIs don’t support service accounts and require us to use domain-wide delegation. But using domain-wide delegation doesn’t mean we have to use service account keys. Continue »