GCP Authentication - Fork My Brain

# [[GCP Authentication]] ![[GCP Authentication.svg]] [[Authentication]] in [[Google Cloud Platform|GCP]] is the process of verifying the identity of an actor. In GCP, this verification process can be done in several ways. ## User authentication A user can authenticate with GCP by logging into their Google account. This is an authentication method that is appropriate for people. When there are many people whose permissions must be managed, it's recommended to use enterprise identity management to categorize people into groups so that people don't need to be individually granted access to resources. ## Service account A service account is a special account created for use not by individuals but by applications, VMs, containers, or services. Service accounts are typically authenticated by: - Using a service account key, stored in a [[JSON]] file - Getting temporary credentials from the [[GCP Metadata Server]] Service account authentication is often long-term and can be used offline. ## Workload Identity Federation Workload Identity Federation (WIF) is a process of authentication that maps an external identity to a GCP service account. External identities that use WIF are usually external workloads like apps running on [[AWS]], [[Azure]], [[GitHub Actions]], or on-prem systems. WIF authentication most commonly involves service accounts, but technically WIF [[Impersonation|impersonates]] a service account. This might seem similar to the service account authentication, but a key distinction here is that in WIF, the external identity does not *own* the service account's credentials; it's only temporarily allowed to act as if it *were* a service account. In WIF, actors don't get the private key of the service account. They're just allowed to temporarily act as the service account. WIF authentication is often short-term (one hour by default). ## Recommendation WIF is the recommended form of authentication to GCP because it: - is short-lived - is scoped - does not require a security key, unlike service accounts %% # Excalidraw Data ## Text Elements ## Drawing ```json { "type": "excalidraw", "version": 2, "source": "https://github.com/zsviczian/obsidian-excalidraw-plugin/releases/tag/2.1.4", "elements": [ { "id": "4y8R7iOA", "type": "text", "x": 118.49495565891266, "y": -333.44393157958984, "width": 3.8599853515625, "height": 24, "angle": 0, "strokeColor": "#1e1e1e", "backgroundColor": "transparent", "fillStyle": "solid", "strokeWidth": 2, "strokeStyle": "solid", "roughness": 1, "opacity": 100, "groupIds": [], "frameId": null, "roundness": null, "seed": 967149026, "version": 2, "versionNonce": 939059582, "isDeleted": true, "boundElements": null, "updated": 1713723615080, "link": null, "locked": false, "text": "", "rawText": "", "fontSize": 20, "fontFamily": 4, "textAlign": "left", "verticalAlign": "top", "containerId": null, "originalText": "", "lineHeight": 1.2 } ], "appState": { "theme": "dark", "viewBackgroundColor": "#ffffff", "currentItemStrokeColor": "#1e1e1e", "currentItemBackgroundColor": "transparent", "currentItemFillStyle": "solid", "currentItemStrokeWidth": 2, "currentItemStrokeStyle": "solid", "currentItemRoughness": 1, "currentItemOpacity": 100, "currentItemFontFamily": 4, "currentItemFontSize": 20, "currentItemTextAlign": "left", "currentItemStartArrowhead": null, "currentItemEndArrowhead": "arrow", "scrollX": 583.2388916015625, "scrollY": 573.6323852539062, "zoom": { "value": 1 }, "currentItemRoundness": "round", "gridSize": null, "gridColor": { "Bold": "#C9C9C9FF", "Regular": "#EDEDEDFF" }, "currentStrokeOptions": null, "previousGridSize": null, "frameRendering": { "enabled": true, "clip": true, "name": true, "outline": true } }, "files": {} } ``` %%