Introducing Workload Identity Federation Playground
I’m a huge fan of Workload Identity Federation (indeed anything that allows me to get rid of a service account key becomes my friend)! However, I have to admit that its configuration is not the most obvious task. Indeed it’s not uncommon for me to hear colleagues complaining about it...
This is (among others) why I decided to create a playground to make this wonderful tool more accessible 🚀.
I’ll explain below:
- What pains the playground tries to solve?
- How the playground works?
- The roadmap
What pains the playground tries to solve?
1️⃣ Learn a new language
As other components of GCP (eg. IAM condition), Workload Identity Federation relies on a language called CEL (Common Expression Language) created and maintained (mostly) by Google. The latter is not complex for a person with a developer background but it’s a new skill to learn and a playground is the perfect place!
Note: I observe a multiplication of policy languages (rego, sentinel, cedar, etc.) which is not necessarily in the end user’s interest…
2️⃣ Testing
If you want to check if your setup works against an external token schema, you can test it beforehand.
Note: in another post, I will show you how you can use this project to perform unit tests.
3️⃣ Debugging
Once a Workload Identity Federation is in production, it may happen that a specific token fails (eg. attribute condition) . If you know its value, you can use the playground to find out the root cause.
How the playground works?
The website has been created with privacy as the first-class citizen:
- There is not tracking on the website (eg. Google Analytics or other)
- CEL evaluation is performed directly inside the browser which means that no data leaves your laptop
The project is open-source and can be found here (I encourage you to verify my statements by yourself).
The project uses WebAssembly to interpret Golang directly in the browser and mainly emulates Workload Identity Federation behaviour (based on the specifications and a series of tests that I’ve performed against the API).
Roadmap
Improve provider support
Currently, only OpenID Connect provider is supported. In the next couple of weeks, I’ll bring support to AWS & SAML providers.
Improve the frontend
Add a user-friendly interface for the attribute mapping.