Authenticating to Google Cloud from an AWS Lambda functionUsing workload identity federation, we can let an AWS-hosted application authenticate to Google Cloud using its AWS credentials. That also works for Lambda functions. Continue »
Authenticate workloads and devices to Google Cloud using mTLSBy combining workload identity federation with a token broker, we can enable workloads and devices to authenticate to Google Cloud using all sorts of credentials, including X.509 client certificates. Continue »
Extending a platform or service to support workload identity federationWorkload identity federation isn’t limited to authenticating workloads between cloud providers. There are many other scenarios where it can be useful to use workload identity federation instead of service account keys. Not all platforms or services support workload identity federation, but it’s not too difficult to change that. Continue »
Using one OAuth client to get ID tokens for another clientWhat to do if we have a set of tokens issued to one Google OAuth client, but we need an ID token for another OAuth client? Continue »
All access tokens aren't created equalWhenever we want to call a Google or Google Cloud API, we need an access token. But there’s more than one way to obtain an access token, and depending on which way we use, the resulting access token might behave a little differently. What kinds of access tokens are there, and how do they differ? Continue »
Multi-party approval with JIT Access 1.2With the latest version of Just-in-Time access, we can now demand that users seek approval from a peer before they can activate certain roles. Continue »
New documentation and tool support for authenticating to Google Cloud from an Active Directory environmentWhen an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment, there’s a better alternative – we can let it use its domain credentials and “exchange” them against Google credentials. That doesn’t even require custom code anymore. Continue »