Letting users delegate access from Gemini Enterprise to Agent EngineInstead of letting ADK agents use a service account to access resources, we can set up Gemini Enterprise so that it propagates the user’s identity to the agent. That helps prevent confused deputy attacks, but some assembly is required. Continue »
The many types of tokens used by Google CloudGoogle Cloud uses token-based authentication to secure its APIs. But there’s more than one way to obtain a token, and there are well over a dozen different types of tokens. Continue »
Managing break-glass access to Google CloudMaintaining break-glass access to Google Cloud can be a balancing act between reducing the risk of losing access and preventing emergency access users from becoming a security risk themselves. Continue »
Using JIT Groups to manage just-in-time, self-service access to Kubernetes resourcesAlthough Kubernetes resources are best managed using infrastructure-as-code (IaC), it’s sometimes useful to be able to interact with the cluster directly – whether that’s for diagnostics or other purposes. However, as with any other access, it’s best to grant such access only when needed and to let it auto-expire when it’s no longer required. Continue »
Securing apps and resources on Google Cloud using context-aware accessContext-aware access is Google’s approach to zero trust, but there’s more than one way to implement it. Continue »
Using domain-wide delegation without service account keys, Java editionSome Google APIs don’t support service accounts. To use them in an unattended scenario, we have to use domain-wide delegation. That adds some complexity, but doesn’t require a service account key. Continue »
Given an OAuth Client ID, how to find the corresponding Google Cloud projectThe Client Id gives it away, mostly. Continue »
Using Workforce Identity Federation and Entra App roles to control access to Google CloudManaging access to Google Cloud resources at scale is difficult without groups. But passing group memberships from Entra ID to Google Cloud comes with its own set of challenges, and a better option is to use App roles. Continue »
JIT Groups, or what's next for the JIT Access projectWith Privileged Access Manager in public preview now, there’s little reason to maintain an open-source project that largely provides the same capabilities. But that doesn’t mean JIT Access is going away – instead, the project is changing focus, and its name too. Continue »
Best practices for securing SSH access to VM instancesAllowing users to connect to Google Cloud VMs using SSH is convenient and often unavoidable. But it’s not without risks. Continue »
Using libssh2 with CryptoNG and ECDSAUntil recently, libssh2’s CryptoNG backend didn’t support ECDSA. But now it does. Continue »
Consent screens and the impact of administrative controlsWhen users sign in to an application that uses Google OAuth or OpenID Connect, they typically see a consent screen. But there’s more than one type of consent screen, and the type of consent screen that users end up seeing not only depends on the publisher, but also on the administrative controls applied on the consumer side Continue »
Authenticating to Google Cloud from Azure App ServicesUsing workload identity federation, we can let Azure-hosted applications authenticate to Google Cloud using their managed identity. That also works for Azure App Services, but it requires a little extra work. Continue »
Microsoft recommending IAP DesktopMicrosoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice. Continue »
Using Integrated Windows Authentication over a Google Cloud load balancerModern web applications typically use OAuth or OpenID Connect to authenticate users, but older intranet applications often still rely on Integrated Windows Authentication to deliver a single sign-on experience for users. When we migrate such an application to Google Cloud, we must be careful to choose the right load balancer, otherwise authentication might fail in subtle ways. Continue »
Authenticating to Google Cloud from an AWS Lambda functionUsing workload identity federation, we can let an AWS-hosted application authenticate to Google Cloud using its AWS credentials. That also works for Lambda functions. Continue »
Authenticate workloads and devices to Google Cloud using mTLSBy combining workload identity federation with a token broker, we can enable workloads and devices to authenticate to Google Cloud using all sorts of credentials, including X.509 client certificates. Continue »
Extending a platform or service to support workload identity federationWorkload identity federation isn’t limited to authenticating workloads between cloud providers. There are many other scenarios where it can be useful to use workload identity federation instead of service account keys. Not all platforms or services support workload identity federation, but it’s not too difficult to change that. Continue »
Using one OAuth client to get ID tokens for another clientWhat to do if we have a set of tokens issued to one Google OAuth client, but we need an ID token for another OAuth client? Continue »
All access tokens aren't created equalWhenever we want to call a Google or Google Cloud API, we need an access token. But there’s more than one way to obtain an access token, and depending on which way we use, the resulting access token might behave a little differently. What kinds of access tokens are there, and how do they differ? Continue »