Skip to content

Configure GCP connection using Workload Identity Federation – Azure Identity Provider authentication

This topic provides step-by-step instructions to set up a GCP Cloud Provider using Azure AD as the external identity provider through Workload Identity Federation (WIF). This method allows secure, token-based access without long-lived credentials.

Differences from Workload Identity Federation - Built-In Identity Provider

Unlike the built-in Workload Identity Federation procedure, this guide uses Azure Active Directory as the issuer instead of CyberArk Certificate Manager - SaaS.

Some steps differ:

  • The Issuer URI comes from Azure AD, not CyberArk Certificate Manager - SaaS.
  • Attribute mapping is based on Azure claims (appid).
  • Service account binding uses the standard roles/iam.workloadIdentityUser role instead of a custom role.

Step 1: Register an application in Azure AD

Performed in Azure Portal

  1. In the Azure Portal, go to All Services > App registrations.
  2. Click New registration.
  3. Name your app (e.g., azure-gcp-wif) and choose the appropriate account type.
  4. Click Register.
  5. Copy and save the following values:
    • Application (client) ID
    • Directory (tenant) ID

Expose the application

  1. In your app, go to Manage > Expose an API.
  2. Add an Application ID URI (e.g., api://<client-id>).
  3. Click Save.

Step 2: Create a client secret

Performed in Azure Portal

  1. In your app, go to Certificates & secrets.
  2. Click New client secret, provide a description, and select an expiration.
  3. Copy and save the secret value.

Step 3: Enable Google APIs

Performed in GCP

  1. In the GCP console, go to APIs & services > Library.
  2. Enable the following APIs:
    • IAM API
    • Cloud Resource Manager API
    • Certificate Manager API

Step 4: Create a Google service account

Performed in GCP

Use the Workload Identity Federation - Azure Identity Provider authentication permissions when setting up a service account.

  1. Follow the steps at Create service accounts.
  2. Copy and save the service account email for later use.

Step 5: Create a custom role for certificate provisioning

Performed in GCP

Use this permissions.yaml file:

 title: TLSPC Integration
 description: Permissions granted to TLSPC
 stage: GA
 includedPermissions:
   - certificatemanager.certs.create
   - certificatemanager.certs.get
   - certificatemanager.certs.list
   - certificatemanager.certs.update
   - certificatemanager.locations.list
   - certificatemanager.operations.get
   - resourcemanager.projects.get

Run:

gcloud iam roles create <tlspcIntegrationRole> --project=<PROJECT-ID> --file=permissions.yaml

Step 6: Create a workload identity pool

Performed in GCP

gcloud iam workload-identity-pools create "azure-pool" \
  --project="$GCP_PROJECT_ID" \
  --location="global" \
  --display-name="Azure Identity Pool"

Save the pool ID (e.g., azure-pool).

Step 7: Add an OIDC provider to the workload identity pool

Performed in GCP

gcloud iam workload-identity-pools providers create-oidc "azure-provider" \
  --project="$GCP_PROJECT_ID" \
  --location="global" \
  --workload-identity-pool="azure-pool" \
  --display-name="Azure OIDC Provider" \
  --issuer-uri="https://sts.windows.net/$AZURE_TENANT_ID" \
  --allowed-audiences="api://$AZURE_APP_CLIENT_ID" \
  --attribute-mapping="google.subject=assertion.appid,attribute.subject=assertion.appid"

Note

  • Use the same Workload Identity Pool ID from Step 6.
  • Replace $AZURE_TENANT_ID and $AZURE_APP_CLIENT_ID with values from your Azure AD app registration.
  • allowed-audiences should match either the Azure Client ID or the Application ID URI defined in the Expose the application step.
  • You can customize the provider ID (e.g., azure-provider) but record it for later use when creating the Cloud Provider in CyberArk Certificate Manager - SaaS.

Save the provider ID (e.g., azure-provider).

Step 8: Bind the service account to the workload identity pool

Performed in GCP

gcloud iam service-accounts add-iam-policy-binding "<your_service_account>" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/azure-pool/attribute.subject/<AZURE_APP_CLIENT_ID>"

Note

Ensure <AZURE_APP_CLIENT_ID> matches the allowed-audiences value you set in Step 7.

Step 9: Create a Cloud Provider in CyberArk Certificate Manager - SaaS

Performed in CyberArk Certificate Manager - SaaS

  1. Sign in to Venafi Control Plane.
  2. Click Integrations > Cloud Providers.
  3. Click New and select Google.
  4. Enter a Name for the new cloud provider.
  5. Enter your Google Service Account Email (from Step 4).
  6. Select Workload Identity Federation – Azure Identity Provider.

  7. Fill in the required fields with the exact values:

    • Project number (from GCP dashboard)
    • Workload identity pool ID (from Step 6)
    • Workload identity pool provider ID (from Step 7)
    • Application (client) ID (from Azure AD app registration)
    • Directory (tenant) ID (from Azure AD app registration)
    • Client secret (from Step 2)

  8. Click Continue.

  9. Select an Owning Team. See create a new team if needed.

    Note

    • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
    • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.

  10. Select an Authorized Team.

  11. Click Create.

Step 10: Validate and test the connection

Performed in CyberArk Certificate Manager - SaaS

  1. Click Integrations > Cloud Providers.
  2. Find the new cloud provider created in Step 9.
  3. Click the more options more-options button and select Validate.

Note

A yellow icon warning-indicator indicates the provider has not been validated. It disappears after a successful validation.

If validation fails, review your Azure and GCP settings and try again.

Step 11: Add a Cloud Keystore

Performed in CyberArk Certificate Manager - SaaS

  1. Sign in to Venafi Control Plane.
  2. Click Installations > Cloud Keystores.
  3. Click New and select Google.
  4. Enter a Name for the new cloud keystore.
  5. Select an Owning Team. If you need to create a new team, see create a new team.

  6. Select an Authorized Team.

    Note

    • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
    • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.

  7. Select a GCP Cloud Provider.

  8. Enter a Project Name.
  9. Enter a GCM Region.
  10. (Optional) To begin discovery once the keystore is created, an option to discover certificates on your keystore, select the toggle switches to turn on toggle "Start discovery immediately" and "Include expired certificates". After creating the keystore, refer to Set up GCP Discovery Schedule to create your schedule.
  11. Click Save. At this point you should see your saved new cloud keystore in the Cloud Keystore list.

Step 12: Provision a certificate

Performed in CyberArk Certificate Manager - SaaS

  1. Click the more-options button to the right of the new cloud keystore you just created and select Provision.

    Tip

    Here you also have the option to delete certificates if needed.

  2. From the dropdown, search for the certificate you want, select it, and click Provision. This creates a new certificate (new installation on the keystore).

  3. (Optional) Here, you also can re-provision, replace, or delete a certificate. These options modify an existing machine installation.

    • Select your Cloud Keystore, and a details panel will appear on the right.
    • Click on the ellipsis button to the right of your certificate.
    • Choose the appropriate action: Re-provision, Replace, or Delete, and proceed through the user interface steps until the process is complete.

    Info

    • Re-provision - This action re-provisions your current certificate.
    • Replace - Choose this option to substitute your current certificate with a different one.
    • Delete - This action removes the selected certificate from the table.

    Note

    If using Google Cloud Platform, go to your Google service account, under Certificate Manager, and select Certificates. Click the Refresh button. You should now see your certificate in the list with an active status.

At this point you have successfully connected Certificate Manager - SaaS to your cloud provider and successfully provisioned a certificate.

Set up GCP Discovery Schedule

  1. In the CyberArk Certificate Manager - SaaS toolbar, click Installations and select Cloud Keystores.
  2. Select the Cloud Keystore name you want to perform a discovery on.
  3. From the right pane, select Discovery configuration and enable:
    • Enable scheduled discovery
    • Include expired certificates
  4. Under Repeat, select Daily, Weekly, or Advanced, then choose a time.
  5. Click Save.