Configure a Google GCP WIF Credential Provider

Aembit offers the Google Workload Identity Federation (WIF) Credential Provider to integrate with Google GCP Services. This provider allows your Client Workloads to securely authenticate with GCP and obtain short-lived security tokens for accessing GCP services and resources.

Credential Provider configuration

To configure a Google Workload Identity Federation Credential Provider, follow the steps outlined below.

1. Log into your Aembit tenant.

2. Once you are logged into your tenant, click on the Credential Providers tab in the left navigation pane. You are directed to the Credential Providers page displaying a list of existing Credential Providers. In this example, there are no existing Credential Providers.

   

3. Click on the New button to open the Credential Providers dialog window.

   

4. In the Credential Providers dialog window, enter the following information:

   • Name - Name of the Credential Provider.

   • Description - An optional text description of the Credential Provider.

   • Credential Type - A dropdown menu that enables you to configure the Credential Provider type. Select Google Workload Identity Federation.

   • OIDC Issuer URL - OpenID Connect (OIDC) Issuer URL, auto-generated by Aembit, is a dedicated endpoint for OIDC authentication with Google Cloud.

   • Audience - This field specifies the aud (Audience) claim that must be present in the OIDC token when requesting credentials from Google Cloud. The value should match either:

     • Default - Full canonical resource name of the Workload Identity Pool Provider (used if “Default audience” was chosen during setup).
     • Allowed Audiences - A value included in the configured allowed audiences list, if defined.

     Caution

     If the default audience was chosen during provider creation, provide the value previously copied from Google Cloud Console, excluding the http prefix (e.g., //iam.googleapis…).

   • Service Account Email - A Service Account represents a Google Cloud service identity, each service account has a unique email address (e.g., service-account-name@project-id.iam.gserviceaccount.com) that serves as its identifier. This email is used for granting permissions and enabling interactions with other services.

   • Lifetime (seconds) - Specify the duration for which credentials remain valid, to a maximum of 1 hour (3,600 seconds).

   

5. Click Save when finished. You will be directed back to the Credential Providers page, where you will see your newly created Credential Provider.

   

   Note

   For detailed examples on configuring the Workload Identity Federation, please refer to the respective Server Workloads’ credential provider configuration sections, such as the GCP Bigquery example.