Authenticate GCP resources

This topic describes how to authenticate your GCP resource to Conjur so that it can retrieve secrets from Conjur.

To configure the authentication, see Configure the GCP Authenticator

Supported Google Cloud services

  • Google Compute Engine

  • Google Cloud Function

Supported authentication strategies

Based on Google Identity Platform authentication, the GCP Authenticator uses an identity token based on a service account provided by Google.

How it works

This section describes how an application running on GCP authenticates to Conjur Cloud to retrieve secrets.

  1. An application requests an identity token from the Google metadata server.

  2. The metadata server responds with a Google-signed JWT (JSON Web Token) that contains metadata about the Google Cloud service, including claims about the service's Google identity.

  3. The application sends an authentication request to Conjur Cloud, as well as the JWT, using the GCP Authenticator REST API.

  4. Conjur Cloud attempts to authenticate and authorize the request. If successful, Conjur Cloud sends a short-lived access token back to the application.

  5. The application can retrieve secrets stored in Conjur Cloud.

Google identity token

The Google Cloud service obtains an identity token from Google's metadata server. Access to the metadata service is provided by Google Cloud Platform for any application that is deployed on one of the Google Cloud services. The token is used to verify the identity of the Google Cloud service.

 

For Google Compute Engine, Google strongly recommends creating a user-managed service account to create a Compute Engine instance, rather than using the default service account. For details, see the Google Cloud documentation.