GCP Authenticator

This topic describes how to configure a Google Cloud Platform (GCP) Authenticator.


The GCP Authenticator is a secure method for applications running on the Google Cloud Platform to authenticate to Conjur using a unique identity token signed by Google.

A Conjur identity can be established at varying granularity, allowing for a collection of resources to be identified to Conjur as one, or for individual workloads to be uniquely identified.

Supported Google Cloud services

  • Google Compute Engine
  • Google Cloud Function

Supported authentication strategies

Based on Google Identity Platform authentication, the GCP Authenticator uses an identity token based on a service account provided by Google.

How it works

This section describes how an application running on GCP authenticates to Conjur to retrieve secrets.

  1. An application requests an identity token from the Google metadata server.

  2. The metadata server responds with a Google-signed JWT (JSON Web Token) that contains metadata about the Google Cloud service, including claims about the service's Google identity.

  3. The application sends an authentication request to Conjur, as well as the JWT, using the GCP Authenticator REST API.

  4. Conjur attempts to authenticate and authorize the request. If successful, Conjur sends a short-lived access token back to the application.

  5. The application can retrieve secrets stored in Conjur.

Obtain the Google identity token

The Google Cloud service obtains an identity token from Google's metadata server. Access to the metadata service is provided by Google Cloud Platform for any application that is deployed on one of the Google Cloud services. The token is used to verify the identity of the Google Cloud service.


For Google Compute Engine, Google strongly recommends creating a user-managed service account to create a Compute Engine instance, rather than using the default service account. For details, see the Google Cloud documentation.

Request the Google identity token

This section describes how to request an identity token for supported Google Cloud services.

Configure the GCP Authenticator

To communicate with and retrieve secrets from Conjur, the application running on the Google Cloud service needs to authenticate to Conjur and receive a Conjur access token.

This section describes how to configure the GCP Authenticator, and how to define applications to use the GCP Authenticator to authenticate to Conjur.

GCP Authenticator REST API

Once the GCP Authenticator is configured, you can send an authentication request from the Google Cloud service to Conjur using the GCP Authenticator REST API.

For more information, see the GCP Authenticator API.

Troubleshooting the GCP Authenticator

This section lists issues that may arise and recommended solutions: