Reputation: 1314
Impersonate Azure Service Principal from a Google Service Account
I'd like to obtain temporary credentials for an Azure Service Principal (SP) using a Google Service Account JWT token. This is needed for calling Azure APIs from a GKE workload, without having to store long-term SP credentials in GKE.
Is such federation possible for GCP -> Azure (I know it is for Azure -> GCP, based on [1], as well as GCP -> AWS [2]), and how to achieve it?
[1] https://cloud.google.com/iam/docs/workload-identity-federation
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
Upvotes: 4
Views: 789
Answers (1)
Reputation: 1465
I don't see why can't you store the credential in GKE, assuming that your workload is secure.
You will probably need a broker service that the service can authenticate to and fetch a temporary credential. In that case, you will not need to store the credential in GKE for long term.
However, the threat model is still the same, if your workload is compromised, the attacker can also impersonate your workload and fetch credential using the broker service.
Upvotes: 0
Related Questions
- How to invoke gcloud with service account impersonation
- GCP - Impersonate Service Account from Local Machine
- GCP - Impersonate service account as a user
- How can I impersonate a GCP service account for web console access?
- Can Service Account impersonation be done using Keys?
- Can I use gcloud activate-service-account with impersonation (not static keys)?
- Why can a GCP service account not impersonate itself?
- GCP Allow service-account-a to impersonate service-account-b
- Cannot impersonate GCP ServiceAccount even after granting "Service Account Token Creator" role
- How do I give a Gsuite group or user access to impersonate all Google service accounts