Introducing Workload Identity Federation Playground

Photo by Erik Mclean on Unsplash

I’m a huge fan of Workload Identity Federation (indeed anything that allows me to get rid of a service account key becomes my friend)! However, I have to admit that its configuration is not the most obvious task. Indeed it’s not uncommon for me to hear colleagues complaining about it...

This is (among others) why I decided to create a playground to make this wonderful tool more accessible 🚀.

The Playground in Action

I’ll explain below:

1. What pains the playground tries to solve?
2. How the playground works?
3. The roadmap

What pains the playground tries to solve?

1️⃣ Learn a new language

As other components of GCP (eg. IAM condition), Workload Identity Federation relies on a language called CEL (Common Expression Language) created and maintained (mostly) by Google. The latter is not complex for a person with a developer background but it’s a new skill to learn and a playground is the perfect place!

Note: I observe a multiplication of policy languages (rego, sentinel, cedar, etc.) which is not necessarily in the end user’s interest…

2️⃣ Testing

If you want to check if your setup works against an external token schema, you can test it beforehand.

Note: in another post, I will show you how you can use this project to perform unit tests.

3️⃣ Debugging

Once a Workload Identity Federation is in production, it may happen that a specific token fails (eg. attribute condition) . If you know its value, you can use the playground to find out the root cause.

How the playground works?

The website has been created with privacy as the first-class citizen:

• There is not tracking on the website (eg. Google Analytics or other)
• CEL evaluation is performed directly inside the browser which means that no data leaves your laptop

The project is open-source and can be found here (I encourage you to verify my statements by yourself).

The project uses WebAssembly to interpret Golang directly in the browser and mainly emulates Workload Identity Federation behaviour (based on the specifications and a series of tests that I’ve performed against the API).

Interaction inside the browser

Roadmap

Improve provider support

Currently, only OpenID Connect provider is supported. In the next couple of weeks, I’ll bring support to AWS & SAML providers.

Improve the frontend

Add a user-friendly interface for the attribute mapping.

Conclusion

I invite you to give it a try and give me your feedbacks to improve it 🫶.

You can access the playground here or run it locally:

docker run --rm -it -p 8080:8080 ghcr.io/loicsikidi/wif-go:latest

Thank you for reading this far, see you soon!