GCP WIF

if your infrastructure is hosted on gcp , please adopt this solution how to use wif(workload identity federation), detailed documentation is https //docs cloud google com/iam/docs/workload identity federation with other clouds 1\ overview when a partner’s infrastructure is hosted on google cloud platform (gcp) , klavi uses workload identity federation (wif) to securely deliver files to the partner's cloud storage (gcs) buckets this process allows klavi’s aws iam roles to "impersonate" a gcp service account by establishing a trust relationship between aws and gcp, we ensure that data is transferred securely without managing or rotating static credentials 2\ partner (recipient/gcp) configuration guide as the data recipient on gcp, you must configure your environment to trust klavi’s aws identity 2 1 create a workload identity pool and provider you need to create a pool to manage the identity relationship and a provider to specify aws as the identity source create a workload identity pool e g , klavi access pool add an aws provider provider id klavi aws provider issuer (url) use the default aws oidc issuer aws account id provide klavi’s aws account id (see section 3 2) attribute mapping map the following to ensure secure identification google subject = assertion arn attribute aws role = assertion arn contains('role/') ? assertion arn extract('role/{role name}/') assertion arn 2 2 create and bind a gcp service account create a service account e g , klavi data ingestor\@your project iam gserviceaccount com grant bucket permissions assign the storage object creator (or roles/storage objectcreator ) role to this service account on your destination gcs bucket allow impersonation grant klavi’s aws iam role the permission to impersonate this service account using the roles/iam workloadidentityuser role 3\ information exchange checklist the following technical parameters are required to establish the secure handshake 3 1 from partner to klavi please provide the following gcp resource identifiers to the klavi integration team parameter description example gcp project number the numeric id of your gcp project 123456789012 workload pool id the id of the wif pool created in step 2 1 klavi access pool provider id the id of the aws provider klavi aws provider gcp service account the email of the sa klavi will impersonate klavi\@proj iam gserviceaccount com gcs bucket name the destination bucket for file delivery partner data inbound 3 2 from klavi to partner klavi will provide these details to allow you to configure your wif provider and iam policies parameter description klavi aws account id the aws account from which requests will originate klavi iam role arn the specific aws role arn that will request gcp tokens 4\ klavi operational workflow once the configuration is complete, the klavi automated pipeline will perform the following token exchange klavi exchanges its aws sts token for a temporary gcp federated token via the wif provider service account impersonation the federated token is used to generate a short lived access token for the partner's gcp service account secure upload klavi uploads the files directly to your gcs bucket using the generated token verification a test file is uploaded to confirm the handshake is operational 5\ security best practices keyless auth never request or store klavi’s iam user keys or gcp service account json keys attribute conditions we recommend adding a condition to your wif provider to only allow the specific klavi iam role arn to prevent unauthorized aws accounts from attempting federation audit logging enable cloud audit logs (data access logs) on your gcs bucket to monitor all file write activities by the federated identity support for technical assistance during setup, please contact our support team at mailto\ crie\@klavi ai