Workload Identity Federation authentication
Table of Contents
Workload Identity Federation authentication
Step 1: Enable Google APIs
Performed in GCP
Enable the IAM API, Cloud Resource Manager API, and the Certificate Manager API.
- In the GCP console, go to APIs & services for your project.
- On the Library page, select Private APIs. If you don't see the API listed, that means you haven't been granted access to enable the API.
- Select the API you want to enable. If you need help finding the API, use the search field.
- On the page that displays information about the API, select Enable.
See Enabling an API in your Google Cloud project for more details.
Step 2: Create a custom role for service account permissions
Performed in GCP
You have the option to create a custom role via the console or gcloud CLI. Choose one of the below methods to create a custom role.
- Console - See Create and manage custom roles to create an Identity and Access Management (IAM) custom role.
- gcloud CLI - Alternatively, if you would like to use gcloud CLI to create a custom role, create the following YAML file with the included permissions.
title: Next-Gen Trust Security Integration description: Permissions granted to Next-Gen Trust Security stage: GA includedPermissions: - certificatemanager.certs.create - certificatemanager.certs.get - certificatemanager.certs.list - certificatemanager.certs.update - certificatemanager.locations.list - certificatemanager.operations.get - resourcemanager.projects.get
Then run the following command to create the custom role. Note that you will need to use this custom role in the next step.
gcloud iam roles create <tlspcIntegrationRole> --project=<PROJECT-ID> --file=permissions.yaml
Note: The custom role tlspcIntegrationRole is an example. You can name this role anything you like, but choose a name that reflects its purpose.
Step 3: Create a Google service account
Performed in GCP
Use the Workload Identity Federation authentication permissions when setting up a service account.
- Follow the steps to create a Google service account at Create service accounts. This page explains how to create service accounts using the Identity and Access Management (IAM) API, the GCP console, and the gcloud command- line tool.
- Once complete, you will be presented with your Google service account email. Make sure to copy and save this for later use.
Note: In this step, you will associate the custom role created in Step 2 with your Google service account.
Step 4: Create a workload identity pool
Performed in GCP
Note:
- The Google Cloud CLI must be installed and authenticated with Google Cloud.
- You must have the permissions to manage Workload Identity Federation in Google Cloud.
- Be sure to save the identity pool ID value you create in this step—you’ll need it when you get to Step 6.
Tip: If you have already created a workload identity pool in GCP, it is located in the GCP Workload Identity Federation section.
Create a workload identity pool running the following command, if one does not already exist. Replace the placeholders as described:
- Replace your-identity-pool-id with a unique ID for the pool, consisting of 4 to 32 lowercase letters, digits, or hyphens. To avoid conflicts, use a unique ID. We recommend choosing a meaningful name that relates to this specific cloud provider (such as venafi-workload-pool).
- Add desired description and display-name. Note, the display name must be less than or equal to 32 characters.
gcloud iam workload-identity-pools create <your-identity-pool-id> \ --location="global" \ --description="<Venafi Workload Identity Pool for Federated Identities>" \ --display-name="Venafi WIF Pool"
See Manage workload identity pools and providers for more details.
Step 5: Create a Cloud Provider
Performed in Next-Gen Trust Security
- Sign in to Next-Gen Trust Security.
- Click Configuration > Cloud Providers.
- Click New and select Google.
- Enter a Name for the new cloud provider. This name will help Next-Gen Trust Security users to identify this cloud provider.
- Enter your Google Service Account Email you copied from Step 3.
- Select the Workload Identity Federation - Built-in Identity authorization method.
- You will now see the three fields listed below that you will need to populate:
- Project Number (Located in GCP dashboard)
- Workload Identity Pool ID (Located in the GCP Workload Identity Federation section)
- Workload Identity Pool Provider ID (Create the Workload Identity Pool Provider ID by entering a unique, meaningful name related to this specific cloud provider, such as venafi-provider. The ID must be 4 to 32 lowercase letters, digits, or hyphens). Note, this ID does not already exist in the GCP console—it is being created here.
Note: You are only creating the Workload Identity Pool Provider ID in this step. You will use this ID in Step 6 to create the Workload Identity Pool Provider resource. - Click Create.
- In the following screen, you will be presented with an Issuer URI. Copy the URI to use in the next step.
Important: Make sure to copy and save this Issuer URI for use later on.
Step 6: Add an OIDC provider to the workload identity pool
Performed in GCP
Add an OIDC provider to the workload identity pool running the following command. Replace the following placeholders:
- Replace your-identity-provider-id with the Workload Identity Pool Provider ID you created for Next-Gen Trust Security in Step 5.
- Replace your-identity-pool-id with the ID of the workload identity pool you created in Step 4.
- Replace your_issuer_uri with your identity provider issuer URI you copied and saved from Step 5.
gcloud iam workload-identity-pools providers create-oidc "<your-identity-provider-id>" \ --location="global" \ --workload-identity-pool="<your-identity-pool-id>" \ --issuer-uri="<your_issuer_uri>" \ --attribute-mapping="google.subject=assertion.sub"
Note:
- The attribute-mapping parameter must include the mapping between OIDC custom claims included in the JWT ID token to the corresponding identity attributes that are used in Identity and Access Management (IAM) policies to grant access. For more details, see the supported OIDC custom claims that you can use to control access to Google Cloud.
- To restrict identity token access to a specific Next-Gen Trust Security project or group, use an attribute condition. Use the attribute assertion.project_id for a project and the attribute assertion.namespace_id for a group. For more information, see the Google Cloud documentation about how to define an attribute condition. After you define the attribute condition, you can update the workload identity provider.
See Manage workload identity pools and providers for more details.
Step 7: Create a custom role for service account policy binding
Performed in GCP
Create a custom role with the following permission to bind to the service account. Choose one of the below methods to create a custom role.
- Console - See Create and manage custom roles to create an Identity and Access Management (IAM) custom role.
- gcloud CLI - Alternatively, if you would like to use gcloud CLI to create a custom role, create the following YAML file with the included permissions.
title: Next-Gen Trust Security Workload Identity Pool Role description: Permissions granted to a Workload Identity Pool to generate access tokens. stage: GA includedPermissions: - iam.serviceAccounts.getAccessToken
Then run the following command to create the custom role. Note that you will need to use this custom role in the next step.
gcloud iam roles create <saBindingRole> --project=<PROJECT-ID> --file=permissions.yaml
Note: The custom role saBindingRole is an example. You can name this role anything you like, but choose a name that reflects its purpose.
Tip: The command output will display the custom role name, such as projects/venafi/roles/saBindingRole. Make sure to copy the full path of the name, as you will need it for the next step.
Step 8: Connect service account to the workload identity pool
Performed in GCP
In this step, we will connect your service account to your workload identity pool and add the custom role we created in Step 7.
- Run the following command and replace the following placeholders:
- Replace "your_service_account" with your GCP service account.
- Replace projects/venafi/roles/saBindingRole with the role name you created in Step 7.
- Replace "your_project_number" with your GCP project number.
- Replace "your-identity-pool-id" with the ID of the workload identity pool you created in the Step 4.
- Replace "your-project-id" with your GCP project ID.gcloud iam service-accounts add-iam-policy-binding "<your_service_account>" \ --role="<projects/venafi/roles/saBindingRole>" \ --member="principal://iam.googleapis.com/projects/<your_project_number>/locations/global/workloadIdentityPools/<your-identity-pool-id>/subject/venafi_control_plane" \ --project="<your-project-id>"Tip: Remember, venafi_control_plane is a fixed value and must be mapped to subject when binding the service account.
Step 9: Validate the connection
Performed in Next-Gen Trust Security
In this step, we will validate the connection between Next-Gen Trust Security and GCP.
- Click Configuration > Cloud Providers.
- Find the new cloud provider we created in Step 4. Click the more optionsbutton to the right and select Validate.
![]()
Note: You will notice a yellow iconnext to your cloud provider that indicates it has yet to be validated. This will go away once you test access and have a successful connection.![]()
If you still have the yellow icon
![]()
next to your cloud provider, this means you were not able to successfully validate your connection. Go back and check your settings in the above steps.
Step 10: Add a Cloud Keystore
Performed in Next-Gen Trust Security
- Sign in to Next-Gen Trust Security.
- Click Insights > Cloud Keystores.
- Click New and select Google.
- Enter a Name for the new cloud keystore.
- Select a GCP Cloud Provider.
- Enter a Project Name.
- Enter a GCM Region.
- (Optional) To discover certificates on your keystore, enable Start discovery immediately and Include expired certificates. Once complete, create a schedule.
- Click Save. The new cloud keystore appears in the Cloud Keystore list.
Step 11: Provision a certificate
Performed in Next-Gen Trust Security
At this point you should now have the ability to provision certificates.
- Click the More actions (ellipsis) icon next to the cloud keystore you created, and then select Provision.
Tip:
From this menu, you can also delete certificates if needed.
- From the dropdown, search for the certificate you want to provision, select it, and then click Provision. This creates a new certificate installation on the cloud keystore.
- (Optional) You can also re-provision, replace, or delete an existing certificate.
- Select your Cloud Keystore to open the details panel.
- Click the More actions (ellipsis) icon next to the certificate.
- Select Re-provision, Replace, or Delete, and complete the steps in the user interface.
Info:
- Re-provision re-installs the current certificate on the cloud keystore.
- Replace substitutes the current certificate with a different one.
- Delete removes the certificate from the cloud keystore.
Set up GCP Discovery Schedule
- In the Next-Gen Trust Security toolbar, click Installations and select Cloud Keystores from the drop-down menu.
- Select the Cloud Keystore name that you want to perform a discovery on.
- From the pane that opens on the right of the screen, select Discovery configuration. Select thetoggle switches to turn on "Enable scheduled discovery" and "Include expired certificates".
![]()
- Under Repeat, select your desired Daily, Weekly, or Advanced schedule. Then, choose your desired time.
- Click Save.
