This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Workload Identity Federation and Gmail SOAR Integration

Posted on 11-29-2024 04:03 AM
samryanturner
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Looking to reduce the amount of service account keys being used for services in SecOps. I see that the Gmail integration supports Workload Identity Federation with Domain Wide Delegated associated service accounts.

Has anyone got this setup successfully? If so, how are you going about securing that service account/conditions on the WIF pool?

Solved Solved
0 5 565
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

This medium blog has resolved my issues - https://medium.com/@mr.landovskiy/how-to-authenticate-to-google-cloud-integrations-using-workload-id...

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
vaskenh
Staff
Reply posted on --/--/---- --:-- AM

Hi @samryanturner.  I've provided a link here related to using short-lived credentials with WIF.  If this is still not close to what you're looking for can you provide some more architectural details on how the scenario differs from the docs?  Thanks!

https://cloud.google.com/iam/docs/workforce-obtaining-short-lived-credentials

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
In response to vaskenh
Reply posted on --/--/---- --:-- AM

Hey, thanks.

This is for Workforce Identity Federation however. The docs state I should be able to use a Workload Identity Email address instead of a Service Account Key JSON file for the integration - https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/gmail#integrate

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

I can set it up in my lab and get a better understanding of the integration.  How would this minimize the use of service account keys though - you are still going to need one here.  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
In response to dnehoda
Reply posted on --/--/---- --:-- AM

WIF should remove the requirement for keys -

"Optional

The client email address of your workload identity.

You can configure this parameter or the Service Account JSON File Content parameter.

To impersonate service accounts with the workload identity email address, grant the Service Account Token Creator role to your service account. For more details about workload identities and how to work with them, see Identities for workloads."

https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/gmail#integrate

WIF is normally for workloads authenticating from outside of GCP, documentation on setting up a pool for Workspace is non-existent from initial searches.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
samryanturner
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

This medium blog has resolved my issues - https://medium.com/@mr.landovskiy/how-to-authenticate-to-google-cloud-integrations-using-workload-id...

Jump to Solution
0 Likes
Top Solution Authors
View all