Configure Workload Identity Federation with AWS or Azure VMs

This guide describes how to use Workload Identity Federation to let AWS andAzure VM workloads authenticate to Google Cloud without a service account key.

If you use Amazon Elastic Kubernetes Service (Amazon EKS) or Azure KubernetesService (AKS), seeConfigure Workload Identity Federation with Kubernetesto learn how to configure Workload Identity Federation for your clusters. Thispage covers only configuring Workload Identity Federation for AWS and AzureVMs.

By using Workload Identity Federation, workloads that run on AWS EC2 andAzure VMs can exchange their environment-specific credentials for short-livedGoogle Cloud Security Token Service tokens.

Environment-specific credentials include the following:

By setting up Workload Identity Federation, you can let these workloadsexchange these environment-specific credentials against short-livedGoogle Cloud credentials. Workloads can use these short-lived credentialsto access Google Cloud APIs.

Before you begin

  • Set up authentication.

    Important: New Amazon EC2 instances useIMDSv2.If your instance uses IMDSv2, you must follow the gcloud CLIinstructions instead of the Google Cloud console instructions. To learnmore, seeAmazon EC2 Instance Metadata Service (IMDSv2) by default.

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    In the Google Cloud console, activate Cloud Shell.

    Activate Cloud Shell

    At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

    Python

    To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

      Install the Google Cloud CLI.

      If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

      If you're using a local shell, then create local authentication credentials for your user account:

      gcloudauthapplication-defaultlogin

      You don't need to do this if you're using Cloud Shell.

      If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

    For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

Prepare your external identity provider

You only need to perform these steps once for each Microsoft Entra ID tenant orAWS account.

AWS

You don't need to make any configuration changes in your AWS account.

After youconfigure a workload identity pool to trust yourAWS account, you can letAWS users andAWS roles use permanent or temporary AWS security credentials to obtainshort-lived Google Cloud credentials.

Azure

You must create a newMicrosoft Entra ID application in your Microsoft Entra ID tenant and configure it so that it can be used forWorkload Identity Federation.

After youconfigure a workload identity pool to trust theapplication, Azure users and service principals can request access tokensfor this application and exchange these access tokens againstshort-lived Google Cloud credentials.

To create the application, do the following:

  1. Create a Microsoft Entra ID application and service principal.

  2. Set anApplication ID URI for the application.You can use the default Application ID URI(APPID) or specify a custom URI.

    You need the Application ID URI later when you configure the workloadidentity pool provider.

To let an application obtain access tokens for the Microsoft Entra ID application,you can usemanaged identities:

  1. Create a managed identity.Note the Object ID of the managed identity. You need it later whenyou configure impersonation.

  2. Assign the managed identity to a virtual machine or another resource that runs your application.

Note: If you use Azure's default settings, the new application grantsall users in the Microsoft Entra ID tenant permission to obtain access tokens.Useapp role assignments to restrict which identities can obtain access tokens for the application.

Configure Workload Identity Federation

You only need to perform these steps once per AWS account orMicrosoft Entra ID tenant. You can then use the same workload identitypool and provider for multiple workloads and across multiple Google Cloud projects.

To start configuring Workload Identity Federation, do the following:

    In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

    Go to project selector

    It's best touse a dedicated project to manage workload identity pools and providers.

    Verify that billing is enabled for your Google Cloud project.

    Enable the IAM, Resource Manager, Service Account Credentials, and Security Token Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

Define an attribute mapping and condition

The environment-specific credentials of your AWS or Azure workload contain multiple attributes,and you must decide which attribute you want to use as subject identifier(google.subject) in Google Cloud.

Google Cloud uses the subject identifier in Cloud Audit Logs and inprincipal identifiers to uniquely identifyan AWS or Azure user or role.

Optionally, you canmap additional attributes.You can then refer to these additional attributes when granting access toresources.

AWS

Your attribute mapping can use theresponse fields forGetCallerIdentity as source attributes. These fields include the following:

  • account: the AWS account number.
  • arn: the AWS ARN of the external entity.
  • userid: the unique identifier of the calling entity.

If your application runs on anAmazon Elastic Compute Cloud (EC2) instance with an attached role,you can use the following attribute mapping:

google.subject=assertion.arnattribute.account=assertion.accountattribute.aws_role=assertion.arn.extract('assumed-role/{role}/')attribute.aws_ec2_instance=assertion.arn.extract('assumed-role/{role_and_session}').extract('/{session}')

The mapping does the following:

  • Uses the ARN as subject identifier—for example:"arn:aws:sts::000000000000:assumed-role/ec2-my-role/i-00000000000000000
  • Introduces a custom attributeaccount and assigns it the AWS accountID
  • Introduces a custom attributeaws_role and assigns it the AWS rolename—for example:ec2-my-role
  • Introduces a custom attributeaws_ec2_instance and assigns it the EC2instance ID—for example:i-00000000000000000

Using this mapping, you can grant access to:

  • A specific EC2 instance:

    principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.aws_ec2_instance/EC2_INSTANCE_ID

  • All users and instances in a role:

    principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.aws_role/ROLE_NAME

Azure

Your attribute mappings can use theclaims embedded in Azure access tokens,including custom claims, as source attributes.In most cases, it's best to use thesub claim as subject identifier:

google.subject=assertion.sub

When thesub claim surpasses the 127-character limit forgoogle.subject,we recommend that you use theextract functionto derive a subject identifier—for example:

google.subject=assertion.sub.extract('/eid1/c/pub/t/{sub_claim}')

For an access token issued to amanaged identity,thesub claim contains the Object ID of the managed identity. If you usea different claim, make sure that the claim is unique and can't be reassigned.

If you're unsure about the list of claims you can reference, do the following:

  1. Connect to an Azure VM that has an assigned managed identity.

  2. Obtain an access token from theAzure Instance Metadata Service (IMDS):

    Bash

    curl \  "http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" \  -H "Metadata: true" | jq -r .access_token

    This command uses thejq tool.jq is available by default in Cloud Shell.

    PowerShell

    $SubjectTokenType = "urn:ietf:params:oauth:token-type:jwt"$SubjectToken = (Invoke-RestMethod `  -Uri "http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" `  -Headers @{Metadata="true"}).access_tokenWrite-Host $SubjectToken

    ReplaceAPP_ID_URI with theApplication ID URIof the application that you'veconfigured for Workload Identity Federation.

  3. In a web browser, go tohttps://jwt.ms/ andpaste the access token into the field.

  4. ClickClaims to view the list of claims embedded in the access token.

For service identities, it's typically not necessary to create a mappingforgoogle.groups or any custom attributes.

Optionally, define anattribute condition. Attribute conditionsare CEL expressions that can check assertion attributes and target attributes.If the attribute condition evaluates totrue for a given credential, thecredential is accepted. Otherwise, the credential is rejected.

AWS

You can use an attribute condition to restrict which IAM users and rolescan use Workload Identity Federation to obtain short-lived Google Cloudtokens.

For example, the following condition restricts access to AWS roles anddisallowsother IAM identifiers:

assertion.arn.startsWith('arn:aws:sts::AWS_ACCOUNT_ID:assumed-role/')

Azure

You can use an attribute condition to restrict which users and service principalscan use Workload Identity Federation to obtain short-lived Google Cloudtokens. Alternatively, you can configure your Microsoft Entra IDapplication to useapp role assignments.

Create the workload identity pool and provider

Required roles

To get the permissions that you need to configure Workload Identity Federation, ask your administrator to grant you the following IAM roles on the project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Alternatively, the IAM Owner (roles/owner) basic role alsoincludes permissions to configure identity federation.You should not grant basic roles in a production environment, but you can grant them in adevelopment or test environment.

You now have collected all of the information that you need to create a workload identitypool and provider:

Console

  1. In the Google Cloud console, go to theNew workload provider and poolpage.

    Go to New workload provider and pool

  2. In theCreate an identity pool section, enter the following:

    • Name: Name for the pool. The name is also used as the pool ID.You can't change the pool ID later.
    • Description: Text that describes the purpose of the pool.

  3. ClickContinue.

  4. Configure provider settings:

    AWS

    Configure the following provider settings:

    • Select a provider:AWS.
    • Provider name: the name for the provider. The name is also usedas the provider ID. You cannot change the provider ID later.

    Azure

    Configure the following provider settings:

    • Select a provider:OpenID Connect (OIDC).
    • Provider name: Name for the provider. The name is also usedas the provider ID. You cannot change the provider ID later.
    • Issuer URL:https://sts.windows.net/TENANT_ID.ReplaceTENANT_ID with thetenant ID (GUID) of your Microsoft Entra ID tenant.
    • Allowed audiences:Application ID URI that you used whenyou registered the application in Microsoft Entra ID.

  5. ClickContinue.

  6. In theConfigure provider attributes section, addtheattribute mappings that you've identified previously.

  7. In theAttribute conditions section, enter theattribute conditionthat you identified previously. Leave the field blank if you don't havean attribute condition.

  8. ClickSave to create the workload identity pool and provider.

gcloud

  1. Create a new workload identity pool:

    gcloud iam workload-identity-pools createPOOL_ID \    --location="global" \    --description="DESCRIPTION" \    --display-name="DISPLAY_NAME"

    Replace the following:

    • POOL_ID: the unique ID for the pool.
    • DISPLAY_NAME: the name of the pool.
    • DESCRIPTION: the description of the pool. This descriptionappears when granting access to pool identities.

  2. Add a workload identity pool provider:

    AWS

    To create the workload identity pool provider for AWS, execute thefollowing command:

    gcloud iam workload-identity-pools providers create-awsPROVIDER_ID \  --location="global" \  --workload-identity-pool="POOL_ID" \  --account-id="ACCOUNT_ID" \  --attribute-mapping="MAPPINGS" \  --attribute-condition="CONDITIONS"

    Replace the following:

    Example:

    gcloudiamworkload-identity-poolsproviderscreate-awsexample-provider\--location="global"\--workload-identity-pool="pool-1"\--account-id="123456789000"\--attribute-mapping="google.subject=assertion.arn"

    Azure

    To create the workload identity pool provider for Azure, execute thefollowing command:

    gcloud iam workload-identity-pools providers create-oidcPROVIDER_ID \    --location="global" \    --workload-identity-pool="POOL_ID" \    --issuer-uri="ISSUER_URI" \    --allowed-audiences="APPLICATION_ID_URI" \    --attribute-mapping="MAPPINGS" \    --attribute-condition="CONDITIONS"

    Replace the following:

    • PROVIDER_ID: The unique ID for the provider.
    • POOL_ID: The ID of the pool.
    • ISSUER_URI: Thetenant ID (GUID) of your Microsoft Entra ID tenant, sometimes formatted ashttps://sts.windows.net/TENANT_ID. Theissuer URI can vary, and to find your issuer URI, you can debugyour JWT usingJWT.io.
    • APPLICATION_ID_URI:Application IDURI that you used whenyou registered the applicationin Microsoft Entra ID.
    • MAPPINGS: The comma-separated list ofattribute mappings that youpreviously identified.
    • CONDITIONS: (Optional) Theattribute conditionthat you previously identified.

    Example:

    gcloudiamworkload-identity-poolsproviderscreate-oidcexample-provider\--location="global"\--workload-identity-pool="pool-1"\--issuer-uri="https://sts.windows.net/00000000-1111-2222-3333-444444444444"\--allowed-audiences="api://my-app"\--attribute-mapping="google.subject=assertion.sub,google.groups=assertion.groups"
Note: The prefixgcp- is reserved and can't be used in a pool or provider ID.

Authenticate a workload

You must perform these steps once per workload.

Allow your external workload to access Google Cloud resources

To provide your workload with access to Google Cloud resources, werecommend that you grant direct resource access to the principal. In this case,the principal is the federated user. Some Google Cloud products haveGoogle Cloud API limitations.If your workload calls an API endpoint that has a limitation, you can insteaduse service account impersonation. In this case, the principal is theGoogle Cloud service account, which acts as the identity. You grant accessto the service account on the resource.

Direct resource access

You can grant access to a federated identity directly on resources by usingthe Google Cloud console or the gcloud CLI.

Console

To use the Google Cloud console to grant IAM rolesdirectly on a resource, you must go to the resource's page, and thengrant the role. The following example shows you how to goto the Cloud Storage page and grant the role Storage Object Viewer(roles/storage.objectViewer) to a federated identity directly on aCloud Storage bucket.

  1. In the Google Cloud console, go to the Cloud StorageBuckets page.

    Go to Buckets

  2. In the list of buckets, click the name of the bucket for which youwant to grant the role.

  3. Select thePermissions tab near the top of the page.

  4. Click theGrant access button.

    TheAdd principals dialog appears.

  5. In theNew principals field, enter one or more identitiesthat need access to your bucket.

    By subject

    principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT

    Replace the following:

    • PROJECT_NUMBER: the projectnumber
    • POOL_ID: the workloadpool ID
    • SUBJECT: the individualsubject mapped from your IdP—for example,administrator@example.com

    By group

    principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP

    Replace the following:

    • PROJECT_NUMBER: the projectnumber
    • WORKLOAD_POOL_ID: the workloadpool ID
    • GROUP: the groupmapped from your IdP—for example:administrator-group@example.com

    By attribute

    principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE

    Replace the following:

    • PROJECT_NUMBER: the projectnumber
    • WORKLOAD_POOL_ID: the workloadpool ID
    • ATTRIBUTE_NAME: one of theattributes that was mapped from your IdP
    • ATTRIBUTE_VALUE: the valueof the attribute

  6. Select a role (or roles) from theSelect a role drop-down menu.The roles you select appear in the pane with a short description ofthe permissions they grant.

  7. ClickSave.

gcloud

To use the gcloud CLI to grant IAM roles on aresource in a project, do the following:

  1. Obtain the project number of the project in which the resourceis defined.

    gcloud projects describe $(gcloud config get-value core/project) --format=value\(projectNumber\)

  2. Grant access to the resource.

    To use the gcloud CLI to grant the role Storage Object Viewer (roles/storage.objectViewer) to external identities that meet certain criteria, run the following command.

    By subject

    gcloud storage buckets add-iam-policy-bindingBUCKET_ID \    --role=roles/storage.objectViewer \    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT"

    By group

    gcloud storage buckets add-iam-policy-bindingBUCKET_ID \    --role=roles/storage.objectViewer \    --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP"

    By attribute

    gcloud storage buckets add-iam-policy-bindingBUCKET_ID \    --role=roles/storage.objectViewer \    --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE"

    Replace the following:

    • BUCKET_ID:the bucket on which to grant access
    • PROJECT_NUMBER: theproject number.of the project that contains the workload identity pool
    • POOL_ID: the pool ID of the workload identity pool
    • SUBJECT: the expected value for the attribute thatyou've mappedtogoogle.subject
    • GROUP: the expected value for the attribute thatyou've mappedtogoogle.groups
    • ATTRIBUTE_NAME: the name of a custom attribute inyour attribute mapping
    • ATTRIBUTE_VALUE: the value of the custom attribute in your attribute mapping

    You can grant roles on any Google Cloud resource that supportsIAM allow policies.

    Note: You must use the project number, not the project ID, in themember identifier.

Service account impersonation

  1. To create a service account for the external workload, do the following:

    1. Enable the IAM, Security Token Service, and Service Account Credentials APIs.

      Roles required to enable APIs

      To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

      Enable the APIs

    2. Create a service accountthat represents the workload. We recommend that youuse a dedicated service account for each workload.The service account doesn't need to be in the same project as theworkload identity pool, but you must refer to the project thatcontains the service account.

    3. Grant the service account accessto resources that you want external identities to access.

  2. To let the federated identity impersonate the service account, do thefollowing:

Console

To use the Google Cloud console to grant IAM rolesto a federated identity with service account, do the following:

Service Account in the same project

  1. To grant access using service account impersonation for aservice account in the same project, do the following:

    1. Go to theWorkload Identity Pools page.

      Go to Workload Identity Pools

    2. SelectGrant access.

    3. In theGrant access to service account dialog, selectGrant access using Service Account impersonation.

    4. In theService accounts list, select theservice account for the external identities to impersonate,and do the following:

    5. To choose which identities in the pool can impersonate theservice account, perform one of the following actions:

      • To allow only specific identities of the workloadidentity pool to impersonate the service account, selectOnly identities matching the filter.

      • In theAttribute name list, select the attributethat you want to filter on.

      • In theAttribute value field, enter the expectedvalue of the attribute; for example, if you use anattribute mappinggoogle.subject=assertion.sub, setAttribute name tosubject andAttribute valueto the value of thesub claim in tokens that areissued by your external identity provider.

    6. To save the configuration, clickSave and thenDismiss.

Service account in a different project

Note: Service accounts from different projects won't appear in the"CONNECTED SERVICE ACCOUNTS" section of yourWorkload Identity Pool.

  1. To grant access using service account impersonation for aservice account in a different project, do the following:

    1. Go to theService Accounts page.

      Go to Service Accounts

    2. Select the service account that you want to impersonate.

    3. ClickManage access.

    4. ClickAdd principal.

    5. In theNew principal field, enter one of the followingprincipal identifiersfor the identities in your pool that will impersonate theservice account.

      By subject

      principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT

      Replace the following:

      • PROJECT_NUMBER: the projectnumber
      • POOL_ID: the workloadpool ID
      • SUBJECT: the individualsubject mapped from your IdP—for example,administrator@example.com

      By group

      principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP

      Replace the following:

      • PROJECT_NUMBER: the projectnumber
      • WORKLOAD_POOL_ID: the workloadpool ID
      • GROUP: the groupmapped from your IdP—for example:administrator-group@example.com

      By attribute

      principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE

      Replace the following:

      • PROJECT_NUMBER: the projectnumber
      • WORKLOAD_POOL_ID: the workloadpool ID
      • ATTRIBUTE_NAME: one of theattributes that was mapped from your IdP
      • ATTRIBUTE_VALUE: the valueof the attribute

      By pool

      principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*

      Replace the following:

      • PROJECT_NUMBER: the projectnumber
      • WORKLOAD_POOL_ID: the workloadpool ID

    6. InSelect a role, select the Workload Identity Userrole (roles/iam.workloadIdentityUser).

    7. To save the configuration, clickSave.

gcloud

To grant the Workload Identity User role (roles/iam.workloadIdentityUser) to a federated principal or principal set, run the following command. To learn more about Workload Identity Federation principal identifiers, seePrincipal types.

By subject

gcloud iam service-accounts add-iam-policy-bindingSERVICE_ACCOUNT_EMAIL \    --role=roles/iam.workloadIdentityUser \    --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT"

By group

gcloud iam service-accounts add-iam-policy-bindingSERVICE_ACCOUNT_EMAIL \    --role=roles/iam.workloadIdentityUser \    --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/group/GROUP"

By attribute

gcloud iam service-accounts add-iam-policy-bindingSERVICE_ACCOUNT_EMAIL \    --role=roles/iam.workloadIdentityUser \    --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE"

Replace the following:

  • SERVICE_ACCOUNT_EMAIL:the email address of the service account
  • PROJECT_NUMBER: theproject number.of the project that contains the workload identity pool
  • POOL_ID: the pool ID of the workload identity pool
  • SUBJECT: the expected value for the attribute thatyou've mappedtogoogle.subject
  • GROUP: the expected value for the attribute thatyou've mappedtogoogle.groups
  • ATTRIBUTE_NAME: the name of a custom attribute inyour attribute mapping
  • ATTRIBUTE_VALUE: the value of the custom attribute in your attribute mapping

Note: You must use the project number, not the project ID, in themember identifier.

Download or create a credential configuration

TheCloud Client Libraries, thegcloud CLI, and Terraform, can automatically obtain externalcredentials, and use these credentials to impersonate a service account. Tolet libraries and tools complete this process, you have to provide a credentialconfiguration file. This file defines the following:

  • Where to obtain external credentials from
  • Which workload identity pool and provider to use
  • Which service account to impersonate
Note: Unlike aservice account key,a credential configuration file doesn't contain a private key and doesn't needto be kept confidential. Details about the credential configuration file areavailable athttps://google.aip.dev/auth/4117.

To create a credential configuration file, do the following:

Console

To download a credential configuration file in the Google Cloud console,do the following:

  1. In the Google Cloud console, go to theWorkload Identity Poolspage.

    Go to Workload Identity Pools

  2. Find the workload identity pool for the IdP that you wantto use and click it.

  3. If you chose to use direct resource access, do the following:

    1. ClickGrant access.

    2. SelectGrant access using federated identities (Recommended).

    3. ClickDownload.

    4. Continue with instructions toConfigure your application dialog,later in this procedure.

  4. If you chose to use service account impersonation, do the following:

    1. SelectConnected service accounts.

    2. Find the service account you want to use and clickDownload.

    3. Continue with instructions toConfigure your application dialog,later in this procedure.

  5. In theConfigure your application dialog, select the provider thatcontains the external identities.

  6. Provide the following additional settings:

    AWS

    No additional settings required.

    Azure

    Application ID URL: Application ID URI of the Azure application

  7. SelectDownload configto download the credential configuration file, then clickDismiss.

If you want to use the Security Token Service regional endpoints—for example,https://sts.us-central1.rep.googleapis.com, refer toUsing regional Security Token Service endpoints for better reliability.

gcloud

To create a credential configuration file by usinggcloud iam workload-identity-pools create-cred-config,do the following:

AWS

To create a credential configuration file that lets the library obtainan access token from EC2 instance metadata, do the following:

gcloud iam workload-identity-pools create-cred-config \    projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \    --service-account=SERVICE_ACCOUNT_EMAIL \    --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME \    --aws \    --sts-location=REGION \    --output-file=FILEPATH.json

Replace the following:

  • PROJECT_NUMBER: The project number of the project that contains the workload identity pool
  • POOL_ID: The ID of the workload identity pool.
  • PROVIDER_ID: The ID of the workload identity pool provider.
  • SERVICE_ACCOUNT_EMAIL: If you use service account impersonation, replace with the email address of the service account. Omit this flag if you don't use service account impersonation.
  • SERVICE_ACCOUNT_TOKEN_LIFETIME: If you use service account impersonation, replace with the lifetime of the service account access token, in seconds; this defaults to one hour when not provided. Omit this flag if you don't use service account impersonation. To specify a lifetime longer than one hour, you must configure theconstraints/iam.allowServiceAccountCredentialLifetimeExtensionorganizational policy constraint.
  • FILEPATH: The file to save configuration to.
  • Region: Optional. Specify the region of theregional Security Token Service endpoints, if they are available.

If you useAWS IMDSv2,an additional flag--enable-imdsv2 needs to be added to thegcloud iam workload-identity-pools create-cred-configcommand:

gcloud iam workload-identity-pools create-cred-config \    projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \    --service-account=SERVICE_ACCOUNT_EMAIL \    --aws \    --enable-imdsv2 \    --sts-location=REGION \    --output-file=FILEPATH.json

If using the AWS metadata server isn't an option, you can provide AWSsecurity credentials through the following AWS environment variables:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY
  • Either ofAWS_REGION orAWS_DEFAULT_REGION
  • Optional:AWS_SESSION_TOKEN

The gcloud CLI and libraries use these AWS environmentvariables when the AWS metadata server is unavailable.

Azure

Create a credential configuration file that lets the library obtainan access token from the Azure Instance Metadata Service (IMDS):

gcloud iam workload-identity-pools create-cred-config \    projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID \    --service-account=SERVICE_ACCOUNT_EMAIL \    --service-account-token-lifetime-seconds=SERVICE_ACCOUNT_TOKEN_LIFETIME \    --azure \    --app-id-uriAPPLICATION_ID_URI \    --sts-location=REGION \    --output-file=FILEPATH.json

Replace the following:

  • PROJECT_NUMBER: The project number of the project that contains the workload identity pool.
  • POOL_ID: The ID of the workload identity pool.
  • PROVIDER_ID: The ID of the workload identity pool provider.
  • SERVICE_ACCOUNT_EMAIL: If you use service account impersonation, replace with the email address of the service account. Omit this flag if you don't use service account impersonation.
  • APPLICATION_ID_URI: The Application ID URI of the Azure application.
  • SERVICE_ACCOUNT_TOKEN_LIFETIME: If you use service account impersonation,lifetime of the service account access token, in seconds; this defaults to one hour when not provided. Omit this flag if you don't use service account impersonation. To specify a lifetime longer than one hour, you must configure theconstraints/iam.allowServiceAccountCredentialLifetimeExtensionorganizational policy constraint.
  • FILEPATH: The file to save configuration to.
  • Region: Optional. Specify the region of theregional Security Token Service endpoints, if they are available.

Use the credential configuration to access Google Cloud

To let tools and client libraries use your credential configuration, do thefollowing in your AWS or Azure environment:

  1. Initialize an environment variableGOOGLE_APPLICATION_CREDENTIALS and pointit to the credential configuration file:

    Bash

      export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/FILEPATH.json
     whereFILEPATH is the relative path to the credential configuration file.

    PowerShell

      $env:GOOGLE_APPLICATION_CREDENTIALS = Resolve-Path 'FILEPATH.json'
     whereFILEPATH is the relative path to the credential configuration file.

  2. Use a client library or tool that supports Workload Identity Federationand canfind credentials automatically:

    C++

    TheGoogle Cloud Client Libraries for C++support Workload Identity Federation since versionv2.6.0.To use Workload Identity Federation, you must build the client librarieswith version 1.36.0 or later of gRPC.

    Go

    Client libraries for Go support Workload Identity Federation if they use versionv0.0.0-20210218202405-ba52d332ba99 or later of thegolang.org/x/oauth2 module.

    To check which version of this module your client library uses, run thefollowing commands:

    cd$GOPATH/src/cloud.google.com/gogolist-mgolang.org/x/oauth2

    Java

    Client libraries for Java support Workload Identity Federation if they use version 0.24.0or later of thecom.google.auth:google-auth-library-oauth2-http artifact.

    To check which version of this artifact your client library uses, run thefollowing Maven command in your application directory:

    mvndependency:list-DincludeArtifactIds=google-auth-library-oauth2-http

    Node.js

    Client libraries for Node.js support Workload Identity Federation if they use version7.0.2 or later of thegoogle-auth-library package.

    To check which version of this package your client library uses, run thefollowing command in your application directory:

    npmlistgoogle-auth-library

    When you create aGoogleAuth object, you can specify a project ID, or you canallowGoogleAuth to find the project ID automatically. To find the project IDautomatically, the service account in the configuration file must have theBrowser role (roles/browser), or a role with equivalent permissions, on yourproject. For details, see theREADME for thegoogle-auth-library package.

    Python

    Client libraries for Python support Workload Identity Federation if they use version1.27.0 or later of thegoogle-auth package.

    To check which version of this package your client library uses, run thefollowing command in the environment where the package is installed:

    pipshowgoogle-auth

    To specify a project ID for the authentication client, you can set theGOOGLE_CLOUD_PROJECT environment variable, or you can allow the client to findthe project ID automatically. To find the project ID automatically, the serviceaccount in the configuration file must have the Browser role (roles/browser),or a role with equivalent permissions, on your project. For details, see theuser guide for thegoogle-auth package.

    gcloud

    To authenticate using Workload Identity Federation, use thegcloud auth login command:

    gcloud auth login --cred-file=FILEPATH.json

    ReplaceFILEPATH with the path to thecredential configuration file.

    Support for Workload Identity Federation in gcloud CLI is available inversion 363.0.0 and later versions of the gcloud CLI.

    Terraform

    TheGoogle Cloud providersupports Workload Identity Federation if you use version 3.61.0 or later:

    terraform {  required_providers {    google = {      source  = "hashicorp/google"      version = "~> 3.61.0"    }  }}

    bq

    To authenticate using Workload Identity Federation, use thegcloud auth login command, as follows:

    gcloud auth login --cred-file=FILEPATH.json

    ReplaceFILEPATH with the path to thecredential configuration file.

    Support for Workload Identity Federation in bq is available inversion 390.0.0 and later versions of the gcloud CLI.

    If you can't use a client library that supportsWorkload Identity Federation, you canauthenticate programmatically byusing the REST API.

Advanced scenarios

Authenticate a workload using the REST API

If you can't use the client libraries, you can follow these steps to letan external workload obtain a short-lived access token by using the REST API:

  1. Obtain credentials from your external IdP:

    AWS

    Create a JSON document that contains the information that you would normallyinclude in a request to the AWSGetCallerIdentity() endpoint, including a validrequest signature.

    Workload Identity Federation refers to this JSON document as aGetCallerIdentity token. The token lets Workload Identity Federationverify the identity without revealing the AWS secret access key.

    AGetCallerIdentity token looks similar to the following:

    {"url":"https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15","method":"POST","headers":[{"key":"Authorization","value":"AWS4-HMAC-SHA256 Credential=AKIASOZTBDV4D7ABCDEDF/20200228/us-east-1/sts/aws4_request, SignedHeaders=host;x-amz-date,Signature=abcedefdfedfd"},{"key":"host","value":"sts.amazonaws.com"},{"key":"x-amz-date","value":"20200228T225005Z"},{"key":"x-goog-cloud-target-resource","value":"//iam.googleapis.com/projects/12345678/locations/global/workloadIdentityPools/my-pool/providers/my-aws-provider"},{"key":"x-amz-security-token","value":"GizFWJTqYX...xJ55YoJ8E9HNU="}]}

    The token contains the following fields:

    • url: The URL of the AWS STS endpoint forGetCallerIdentity(),with the body of a standardGetCallerIdentity() request appendedas query parameters. For example,https://sts.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15.We recommend that you use regional STS endpoints anddesign a reliable infrastructure for your workloads.For more information, seeRegional AWS STS endpoints.
    • method: The HTTP request method:POST.
    • headers: The HTTP request headers, which must include:
      • Authorization: The request signature.
      • host: The hostname of theurl field; for example,sts.amazonaws.com.
      • x-amz-date: The time you will send the request, formatted as anISO 8601 Basic string. This value is typically set to the current time and isused to help prevent replay attacks.
      • x-goog-cloud-target-resource: The full resource name of theidentity provider without ahttps: prefix. For example:
        //iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
      • x-amz-security-token: Session token. Only required if you areusingtemporary security credentials.

    The following example creates a URL-encodedGetCallerIdentity token.Extract the URL-encoded token for later use. It also creates ahuman-readable token just for your reference:

    importjsonimporturllibimportboto3frombotocore.authimportSigV4Authfrombotocore.awsrequestimportAWSRequestdefcreate_token_aws(project_number:str,pool_id:str,provider_id:str)->None:# Prepare a GetCallerIdentity request.request=AWSRequest(method="POST",url="https://sts.amazonaws.com/?Action=GetCallerIdentity&Version=2011-06-15",headers={"Host":"sts.amazonaws.com","x-goog-cloud-target-resource":f"//iam.googleapis.com/projects/{project_number}/locations/global/workloadIdentityPools/{pool_id}/providers/{provider_id}",},)# Set the session credentials and Sign the request.# get_credentials loads the required credentials as environment variables.# Refer:# https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.htmlSigV4Auth(boto3.Session().get_credentials(),"sts","us-east-1").add_auth(request)# Create token from signed request.token={"url":request.url,"method":request.method,"headers":[]}forkey,valueinrequest.headers.items():token["headers"].append({"key":key,"value":value})# The token lets workload identity federation verify the identity without revealing the AWS secret access key.print("Token:\n%s"%json.dumps(token,indent=2,sort_keys=True))print("URL encoded token:\n%s"%urllib.parse.quote(json.dumps(token)))defmain()->None:# TODO(Developer): Replace the below credentials.# project_number: Google Project number (not the project id)project_number="my-project-number"pool_id="my-pool-id"provider_id="my-provider-id"create_token_aws(project_number,pool_id,provider_id)if__name__=="__main__":main()

    Initialize the following variables:

    Bash

    SUBJECT_TOKEN_TYPE="urn:ietf:params:aws:token-type:aws4_request"SUBJECT_TOKEN=TOKEN

    PowerShell

    $SubjectTokenType = "urn:ietf:params:aws:token-type:aws4_request"$SubjectToken = "TOKEN"

    WhereTOKEN is theURL encodedGetCallerIdentity token that was generated by the script.

    Azure

    Connect to an Azure VM that has anassigned managed identity andobtain an access token from the Azure Instance Metadata Service (IMDS):

    Bash

    SUBJECT_TOKEN_TYPE="urn:ietf:params:oauth:token-type:jwt"SUBJECT_TOKEN=$(curl \  "http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" \  -H "Metadata: true" | jq -r .access_token)echo $SUBJECT_TOKEN

    This command uses thejq tool.jq is available by default in Cloud Shell.

    PowerShell

    $SubjectTokenType = "urn:ietf:params:oauth:token-type:jwt"$SubjectToken = (Invoke-RestMethod `  -Uri "http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" `  -Headers @{Metadata="true"}).access_tokenWrite-Host $SubjectToken

    WhereAPP_ID_URI is theApplication ID URIof the application that you'veconfigured for Workload Identity Federation.

  2. Use theSecurity Token Service API to exchange the credential againsta short-lived access token:

    Bash

    STS_TOKEN=$(curl https://sts.googleapis.com/v1/token \    --data-urlencode "audience=//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID" \    --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \    --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:access_token" \    --data-urlencode "scope=https://www.googleapis.com/auth/cloud-platform" \    --data-urlencode "subject_token_type=$SUBJECT_TOKEN_TYPE" \    --data-urlencode "subject_token=$SUBJECT_TOKEN" | jq -r .access_token)echo $STS_TOKEN

    PowerShell

    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12$StsToken = (Invoke-RestMethod `    -Method POST `    -Uri "https://sts.googleapis.com/v1/token" `    -ContentType "application/json" `    -Body (@{        "audience"           = "//iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"        "grantType"          = "urn:ietf:params:oauth:grant-type:token-exchange"        "requestedTokenType" = "urn:ietf:params:oauth:token-type:access_token"        "scope"              = "https://www.googleapis.com/auth/cloud-platform"        "subjectTokenType"   = $SubjectTokenType        "subjectToken"       = $SubjectToken    } | ConvertTo-Json)).access_tokenWrite-Host $StsToken

    Replace the following values:

    • PROJECT_NUMBER: Project number of the projectthat contains the workload identity pool
    • POOL_ID: ID of the workload identity pool
    • PROVIDER_ID: ID of the workload identity pool provider

    To use regional Security Token Service endpoints, replacehttps://sts.googleapis.com/v1/token with the following:

     https://sts.REGION.rep.googleapis.com/v1/token

    ReplaceREGION with aGoogle Cloud location,for example,us-central1 oreurope-west4.

    Note: The audience must not include ahttps: scheme.

  3. If you use service account impersonation, use the token from theSecurity Token Service to invoke thegenerateAccessToken methodof theIAM Service Account Credentials APIto obtain an access token.

Tokens for Cloud Run services

When accessing a Cloud Run service, you must use an ID token.

Bash

TOKEN=$(curl -0 -X POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:generateIdToken \    -H "Content-Type: text/json; charset=utf-8" \    -H "Authorization: Bearer $STS_TOKEN" \    -d @- <<EOF | jq -r .token    {        "audience": "SERVICE_URL"    }EOF)echo $TOKEN

PowerShell

$Token = (Invoke-RestMethod `    -Method POST `    -Uri "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:generateIdToken" `    -Headers @{ "Authorization" = "Bearer $StsToken" } `    -ContentType "application/json" `    -Body (@{        "audience" = "SERVICE_URL"    } | ConvertTo-Json)).tokenWrite-Host $Token

Replace the following:

  • SERVICE_ACCOUNT_EMAIL: the email address of the service account.
  • SERVICE_URL: the URL of the service—for example,https://my-service-12345-us-central1.run.app. You can also set it to your custom service endpoint. For more information, seeUnderstanding custom audiences.

Tokens for other platforms

When accessing another service, you must use an access token.

Bash

TOKEN=$(curl -0 -X POST https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:generateAccessToken \    -H "Content-Type: text/json; charset=utf-8" \    -H "Authorization: Bearer $STS_TOKEN" \    -d @- <<EOF | jq -r .accessToken    {        "scope": [ "https://www.googleapis.com/auth/cloud-platform" ]    }EOF)echo $TOKEN

PowerShell

$Token = (Invoke-RestMethod `    -Method POST `    -Uri "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/SERVICE_ACCOUNT_EMAIL:generateAccessToken" `    -Headers @{ "Authorization" = "Bearer $StsToken" } `    -ContentType "application/json" `    -Body (@{        "scope" = , "https://www.googleapis.com/auth/cloud-platform"    } | ConvertTo-Json)).accessTokenWrite-Host $Token

Replace the following:

  • SERVICE_ACCOUNT_EMAIL: the email address of the service account.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.