Workload Identity explained! How it works in the major Cloud Providers and CI/CD services?
How to securely issue temporary AWS (Amazon Web Services) credentials for applications that run on Google Cloud Platform (GCP)?
#GCP #AWS #WorkloadIdentity #CloudTrust #idToken
GCP VM identity authentication flow for AWS services
Prerequests
GCP
1.1 Service Account in GCP(optional): cloud.google.com/iam/docs/ser...
The default service account is used in the example below. If you create a custom account, just replace the name "default" below
1.2 Virtual Machine in GCP: cloud.google.com/compute/docs...
1.4 Assign the previosly created GCP service account to the VM: cloud.google.com/compute/docs...
1.3 AWS CLI installed in the GCP VM: docs.aws.amazon.com/cli/lates...
1.4 Issue a GCP idToken from the GCP VM to get the AUTHORIZED_PARTY and SUBJECT encoded in the token:
curl -H "Metadata-Flavor: Google" \
'metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=AUDIENCE'
Note: audience uri parameter can be set to a custom value. Just make sure to use one and the same value here and in 2.1
You can check the generated token payload by pasting it in jwt.io
AWS
2.1 Create IAM identity role for OpenID Connect Federaion: docs.aws.amazon.com/IAM/lates...
with the following statement:
{
"Effect": "Allow",
"Principal": {"Federated": "accounts.google.com"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "azp-value-from-the-token-payload",
"accounts.google.com:oaud": "AUDIENCE",
"accounts.google.com:sub": "sub-value-from-the token-payload"
}
}
}
and attach an AWS IAM policy to the created role to allow access to specicific AWS resources: docs.aws.amazon.com/IAM/lates...
Note: { and } symbols should be replaced with the ASCII equivalents.
Note: "azp-value-from-the-token-payload" and "sub-value-from-the-token-payload" should be replaced with the values from the generated token payload
The "StringEquals" conditions ensure that the defined IAM role can be assumed only by the intended GCP service account.
Note: AUDIENCE string can be set to a custom value. Just make sure to use one and the same value in 1.4 and 2.1
Authentication workflow
From the GCP Virtual Machine:
Construct role name
ROLE_ARN="arn:aws:iam::"your_aws_account_id":role/your_aws_role_name"
Note: "your_aws_account_id" and "your_aws_role_name" should be replaced with the AWS Account ID and AWS role name created in 2.1
Generate GCP Identity Token
jwt_token=$(curl -sH "Metadata-Flavor: Google" "metadata/computeMetadata/v1/instance/service-accounts/default/identity?audience=AUDIENCE&format=full&licenses=FALSE")
Get the "sub" claim from the token. First split the token using dot as separator, then get the second part(the payload), do a base64 decode and get the value of "sub" key
jwt_sub=$(jq -R 'split(".") | .[1] | @base64d | fromjson' ❮❮❮ "$jwt_token" | jq -r '.sub')
Note: replace "[" and "]" symbols with the ascii alternatives
Note: replace "❮" symbol with the ascii alternative
Call the AssumeRoleWithWebIdentity API to request AWS temporary credentials
credentials=$(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --role-session-name $jwt_sub --web-identity-token $jwt_token | jq '.Credentials' | jq '.Version=1')
Print credentials
echo $credentials
The returned AWS credential format is:
{
"Version": 1,
"AccessKeyId": "xxxxxxxx",
"SecretAccessKey": "xxxxxxxx",
"SessionToken": "xxxxxxxx",
"Expiration": "xxxxxxxx"
}
00:00 - Intro
00:05 - What is trust
00:18 - Workload Identity
00:32 - Basic trust concept
01:02 - Use GCP Metadata service to create a signed idToken
01:22 - Call the AssumeRoleWithWebIdentity API to request AWS temporary credentials
01:40 - OpenID Connect based trust in all major cloud providers