GCP Workload Identity Federation with Azure

This article outlines the steps necessary to implement workload identity federation, enabling Azure workloads to authenticate with Google Cloud Platform without the need for a service account key.

If you want to know about how Workload Identity Federation authenticate with GCP without a service account, kindly refer my earlier blog here

Azure Federation

Using workload identity federation, workloads that run on Azure VMs can exchange their environment-specific credentials for short-lived Google Cloud Security Service Tokens.

Permissions required for registering an app

Users must have sufficient permissions to register an application with your Azure AD tenant, and assign to the application a role in your Azure subscription.

Check Azure AD permissions

• Select Azure Active Directory.
• Find your role under Overview->My feed. If you have the User role, you must make sure that non-administrators can register applications.
• In the left pane, select Users and then User settings.
• Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.

If the app registrations setting is set to No, only users with an administrator role may register these types of applications.

Register your application with Azure AD

• Select Azure Active Directory.
• Select App registrations.
• Select New registration.

Make a note of tenant ID and Application ID

Managed identities for Azure resources eliminate the need to manage credentials in code. You can use them to get an Azure Active Directory (Azure AD) token for your applications

To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

Attach user-assigned managed identities to Virtual machine

Navigate to the Virtual machine and click on Identity

Click on User assigned and click on add

For more information check the below urls
App registration
Create a managed identity
Tenant ID

Configuration required at GCP

Create workload Identity Pool

gcloud iam workload-identity-pools create avi-azure-id --location="global" --description="azure workload federation" --display-name="avi-azure-display"

Add a workload identity pool provider

gcloud iam workload-identity-pools providers create-oidc avi-azure-provider-id --location="global" --workload-identity-pool="avi-azure-id" --issuer-uri="https://sts.windows.net/af49f025-433c-484f-aad0-18a0cd125b31" --allowed-audiences="api://c610f3d7-2db2-472b-9082-4aaf5daa0c7e" --attribute-mapping="google.subject=assertion.sub"

Grant the Workload Identity User role (roles/iam.workloadIdentityUser) to the service account

gcloud iam service-accounts add-iam-policy-binding wi-aws@test-sandbox.iam.gserviceaccount.com  --role=roles/iam.workloadIdentityUser  --member="principalSet://iam.googleapis.com/projects/749910885542/locations/global/workloadIdentityPools/avi-azure-id/*" --project test-sandbox

Create a credential configuration file that lets the library obtain an access token

gcloud iam workload-identity-pools create-cred-config \
    projects/749910885542/locations/global/workloadIdentityPools/avi-azure-id/providers/avi-azure-provider-id \
    --service-account=wi-aws@test-sandbox.iam.gserviceaccount.com \
    --azure \
    --app-id-uri api://c610f3d7-2db2-472b-9082-4aaf5daa0c7e \
    --output-file=client-config-mapping.json

Now you can use the client-config.json file in the Azure VM to authenticate and access GCP resources without creating a service account key.

Thank you for taking the time to read this content. If you found it helpful, please consider giving it a thumbs up.