Workload Identity Federation - Azure Identity Provider authentication
Table of Contents
Workload Identity Federation - Azure Identity Provider authentication
This topic provides step-by-step instructions to set up a GCP Cloud Provider using Azure AD as the external identity provider through Workload Identity Federation (WIF). This method allows secure, token-based access without long-lived credentials.
Note (Differences from Workload Identity Federation - Built-In Identity Provider): Unlike the built-in Workload Identity Federation procedure, this guide uses Azure Active Directory as the issuer instead of Next-Gen Trust Security.
Some steps differ:
- The Issuer URI comes from Azure AD, not Next-Gen Trust Security.
- Attribute mapping is based on Azure claims (appid).
- Service account binding uses the standard roles/iam.workloadIdentityUser role instead of a custom role.
Step 1: Register an application in Azure AD
Performed in Azure Portal
- In the Azure Portal, go to All Services > App registrations.
- Click New registration.
- Name your app (e.g., azure-gcp-wif) and choose the appropriate account type.
- Click Register.
- Copy and save the following values:
- Application (client) ID
- Directory (tenant) ID
Expose the application
- In your app, go to Manage > Expose an API.
- Add an Application ID URI (e.g., api://<client-id>).
- Click Save.
Step 2: Create a client secret
Performed in Azure Portal
- In your app, go to Certificates & secrets.
- Click New client secret, provide a description, and select an expiration.
- Copy and save the secret value.
Step 3: Enable Google APIs
Performed in GCP
- In the GCP console, go to APIs & services > Library.
- Enable the following APIs:
- IAM API
- Cloud Resource Manager API
- Certificate Manager API
Step 4: Create a Google service account
Performed in GCP
Use the Workload Identity Federation - Azure Identity Provider authentication permissions when setting up a service account.
- Follow the steps at Create service accounts.
- Copy and save the service account email for later use.
Step 5: Create a custom role for certificate provisioning
Performed in GCP
Use this permissions.yaml file:
title: TLSPC Integration description: Permissions granted to TLSPC stage: GA includedPermissions: - certificatemanager.certs.create - certificatemanager.certs.get - certificatemanager.certs.list - certificatemanager.certs.update - certificatemanager.locations.list - certificatemanager.operations.get - resourcemanager.projects.get
Run:
gcloud iam roles create <tlspcIntegrationRole> --project=<PROJECT-ID> --file=permissions.yaml
Step 6: Create a workload identity pool
Performed in GCP
gcloud iam workload-identity-pools create "azure-pool" \ --project="$GCP_PROJECT_ID" \ --location="global" \ --display-name="Azure Identity Pool"
Save the pool ID (e.g., azure-pool).
Step 7: Add an OIDC provider to the workload identity pool
Performed in GCP
gcloud iam workload-identity-pools providers create-oidc "azure-provider" \ --project="$GCP_PROJECT_ID" \ --location="global" \ --workload-identity-pool="azure-pool" \ --display-name="Azure OIDC Provider" \ --issuer-uri="https://sts.windows.net/$AZURE_TENANT_ID" \ --allowed-audiences="api://$AZURE_APP_CLIENT_ID" \ --attribute-mapping="google.subject=assertion.appid,attribute.subject=assertion.appid"
Suggestions
- Use the same Workload Identity Pool ID from Step 6.
- Replace $AZURE_TENANT_ID and $AZURE_APP_CLIENT_ID with values from your Azure AD app registration.
- allowed-audiences should match either the Azure Client ID or the Application ID URI defined in the Expose the application step.
- You can customize the provider ID (e.g., azure-provider) but record it for later use when creating the Cloud Provider in Next-Gen Trust Security.
Save the provider ID (e.g., azure-provider).
Step 8: Bind the service account to the workload identity pool
Performed in GCP
gcloud iam service-accounts add-iam-policy-binding "<your_service_account>" \ --role="roles/iam.workloadIdentityUser" \ --member="principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/azure-pool/attribute.subject/<AZURE_APP_CLIENT_ID>"
Note: Ensure <AZURE_APP_CLIENT_ID> matches the allowed-audiences value you set in Step 7.
Step 9: Create a Cloud Provider in Next-Gen Trust Security
Performed in Next-Gen Trust Security
- Sign in to Next-Gen Trust Security.
- Click Configuration > Cloud Providers.
- Click New and select Google.
- Enter a Name for the new cloud provider.
- Enter your Google Service Account Email (from Step 4).
- Select Workload Identity Federation – Azure Identity Provider.
- Fill in the required fields with the exact values:
- Project number (from GCP dashboard)
- Workload identity pool ID (from Step 6)
- Workload identity pool provider ID (from Step 7)
- Application (client) ID (from Azure AD app registration)
- Directory (tenant) ID (from Azure AD app registration)
- Client secret (from Step 2)
- Click Continue.
- Click Create.
Step 10: Validate and test the connection
Performed in Next-Gen Trust Security
- Click Configuration > Cloud Providers.
- Find the new cloud provider created in Step 9.
- Click the more optionsbutton and select Validate.
![]()
Note: A yellow icon
![]()
indicates the provider has not been validated. It disappears after a successful validation.
If validation fails, review your Azure and GCP settings and try again.
Step 11: Add a Cloud Keystore
Performed in Next-Gen Trust Security
- Sign in to Next-Gen Trust Security.
- Click Insights > Cloud Keystores.
- Click New and select Google.
- Enter a Name for the new cloud keystore.
- Select a GCP Cloud Provider.
- Enter a Project Name.
- Enter a GCM Region.
- (Optional) To discover certificates on your keystore, enable Start discovery immediately and Include expired certificates. Once complete, create a schedule.
- Click Save. The new cloud keystore appears in the Cloud Keystore list.
Step 12: Provision a certificate
Performed in Next-Gen Trust Security
- Click the More actions (ellipsis) icon next to the cloud keystore you created, and then select Provision.
Tip:
From this menu, you can also delete certificates if needed.
- From the dropdown, search for the certificate you want to provision, select it, and then click Provision. This creates a new certificate installation on the cloud keystore.
- (Optional) You can also re-provision, replace, or delete an existing certificate.
- Select your Cloud Keystore to open the details panel.
- Click the More actions (ellipsis) icon next to the certificate.
- Select Re-provision, Replace, or Delete, and complete the steps in the user interface.
Info:
- Re-provision re-installs the current certificate on the cloud keystore.
- Replace substitutes the current certificate with a different one.
- Delete removes the certificate from the cloud keystore.
Set up GCP Discovery Schedule
- In the Next-Gen Trust Security toolbar, click Installations and select Cloud Keystores.
- Select the Cloud Keystore name you want to perform a discovery on.
- From the right pane, select Discovery configuration and enable:
- Enable scheduled discovery
- Include expired certificates
- Under Repeat, select Daily, Weekly, or Advanced, then choose a time.
- Click Save.
