Workload Identity Federation
Status: Final
Workload Identity Federation (WIF) allows external workloads — CI/CD pipelines, Kubernetes pods, AWS roles — to access GCP resources without service account key files. Instead, the workload presents an OIDC or SAML token from its own platform, which GCP exchanges for a short-lived GCP access token.
How It Works
External workload (GitHub Actions / AWS EC2 / K8s pod)
│
│── Present OIDC token from external IdP (GitHub OIDC / AWS STS)
▼
GCP Security Token Service (STS)
│── Validate token against Workload Identity Pool configuration
│── Map to a Service Account
▼
Short-lived GCP access token (1h)
│
▼
GCP API access
Attack Surface
| Scenario | Attack |
|---|---|
Overly permissive subject attribute mapping | Any identity from the trusted IdP can assume the SA |
| Compromised GitHub Actions runner | OIDC token stolen → GCP access |
| AWS role compromise | Role bound to WIF → GCP lateral movement |
Missing aud claim validation | Tokens for other services accepted |
Workforce Identity Federation
Separate from workload identity — Workforce Identity Federation federates human user identities from external IdPs (Okta, Entra ID) to Google Cloud console and APIs, without requiring Google accounts.
Attack surface mirrors standard SAML/OIDC federation: IdP compromise → forge tokens for any workforce identity.
Cross-Links
| Topic | Link |
|---|---|
| GCP IAM | gcp-iam |
| OIDC | oidc |
| Kubernetes Identity | k8s-service-accounts |