Authenticating to Google Cloud by using an Azure managed identity and workload identity federation

When an application running on Azure needs access to Google APIs, we can use workload identity federation to let the application use its Azure credentials to authenticate to Google APIs. Unfortunately, the C# client library doesn’t support that yet, but we can fill that gap. Continue »

Best practices for managing service account keys

Service accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Continue »

Using IAM to control SSH and RDP access

Whenever we grant users SSH or RDP access to VM instances, we have to ensure that access is revoked when the user changes teams or leaves the organization. This is easier said than done. Continue »

Limit metadata server access to specific Windows users or processes

By default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes? Continue »

Best practices for using, managing, and securing service accounts on Google Cloud

Service accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Continue »

Using Google Cloud’s “Set Windows password” function on a domain controller

What happens if you use the “Set Windows password” function on a domain controller? Continue »