Google Cloud Platform - Workforce Identity Federation

This guide explains what capabilities StrongDM can provide for managing access to the Google Cloud Platform (GCP) Cloud Console via Workforce Identity Federation (WIF). It also provides setup and configuration instructions to add GCP as a resource in StrongDM and begin using StrongDM to control access for users who wish to access your GCP console via the web browser or through a CLI application such as gcloud. StrongDM users are authenticated with GCP through SAML and granted the level of access that you configure on the GCP side.

In addition to access control and auditing, GCP access through StrongDM can be a part of a variety of use cases and access control methodologies:

• Least Privilege: For the two GCP resource types that are powered by WIF, GCP Web Console (Workforce Identity Federation) and GCP CLI/SDK (Workforce Identity Federation), least privilege can be accomplished by setting up multiple instances of the console as StrongDM resources. Each resource can be tagged with a particular tag that, during the SAML authentication process, lets GCP know what access to grant that user. For more details, see the Configuration section of this guide.
• Just-in-Time Access: StrongDM users are able to use any access workflows you set up to request access to GCP, allowing you the choice between granting Just-in-Time (JIT) access with requests, or providing standing access to particular users or roles within your StrongDM organization. For more details, see the Access Workflows section.
  To avoid confusion during access requests, if there are multiple GCP cloud resources in StrongDM, it may be useful to name them in such a way that indicates the level of access, so that users know the name of the resource to request.
• Context-Based Policy: StrongDM policies that restrict or enable users’ ability to connect to GCP resources based on their context can be used to limit availability of your GCP console to users in particular geographic locations or with good device trust scores. Policies can also be used to provide an MFA challenge prior to connection, and help solve for many more use cases. For more details, see the Policies section.

Limitations #

• The GCP drivers do nothing to limit privilege escalation within the platform. It is the responsibility of the resource creator to verify that the roles and permissions that are being assigned during IAM setup are the desired ones.
• Like other web browser console resource types, the logging for “GCP Web Console (Workforce Identity Federation)” resources in StrongDM does not continue beyond authentication when the user is using the web interface of the GCP console. The logs provided by GCP should be used to audit user actions performed while using the GCP console.

GCP Cloud Properties #

• GCP supports the gcloud command-line tool.

Prerequisites #

• In StrongDM, you must have the Admin permission level.
• You must have sufficient privileges in Google Cloud Console to create and manage Workforce Identity pools and providers, and to grant IAM access to new principals.

Configuration #

GCP setup #

1. Prior to GCP setup, in the StrongDM Admin UI, go to Settings > Credential Management > Certificate Authorities tab. Open your StrongDM SAML Certificate Authority and select Download SAML IDP Metadata, which downloads an XML file containing the keys you need when setting up your provider in a later step.
2. You need a Workforce Identity pool in Google Cloud to proceed. Go to the Google Cloud Console, and at the organization level, select the IAM and Admin section, and then select Workforce Identity Federation. If you do not already have a pool you intend to use, create a new Workforce Identity pool by selecting Create Pool.
   For more detail on the steps taken within the Google Cloud Console to set up Workforce Identity Federation, see Google’s Workforce Identity Federation documentation.
   Pool names are global to GCP, so you need a unique name for each pool.
3. Select your pool in the list and then select Add Provider. Provider names are only unique within their pool. Add a description if you wish, and upload the XML file you downloaded from StrongDM here.
4. Next you are asked to configure provider mapping. Map the SAML assertions sent from StrongDM to attributes in GCP. The three attributes that need to be mapped are as follows:
   • google.subject maps to assertion.subject, where the subject is the user’s email in StrongDM by default, or their Identity Alias if your resource is using Identity Aliases. This is the identifier that is attributed in GCP logs for the user’s actions while in the console.
   • google.display_name maps to assertion.attributes.display_name[0], where the display_name is the display name of the user in StrongDM, in the format “Firstname Lastname”.
   • The third attribute that can be mapped is optional, and is a tag and value that is passed in from your StrongDM resource configuration. You can create multiple resources within StrongDM that all represent different levels of access to the same GCP cloud. In order to determine what level of access to give to users connecting through your configured provider, tag the resource that is being used in StrongDM, and then map that tag to an attribute in GCP. Lastly, use that attribute to determine access level for users of that resource. The Example Scenario covers this in more detail. This attribute is in the format attribute.<VALUE> and maps to assertion.attributes.sdm_resource_tag_<TAG>[0], where <TAG> is the name of the tag you are tagging resources with in StrongDM. You may name the attribute in GCP anything you wish. Naming it identically to the tag is one way to keep the correlation clear but is not required. When you are done, save the provider.
     The array notation [0] in these assertions is required, and the attribute mapping does not function correctly without it.
5. Click on the details of your Workforce Identity pool and copy the value of IAM Principal from your pool details before you continue.
6. Select IAM in the sidebar, and then click Grant Access. This is where you grant access to users connecting via your StrongDM resource and being mapped to your provider.
7. In the New Principals field, paste the IAM Principal value you just copied from your pool. If you are not granting different levels of access based on a tag, this line looks similar to this format: principalSet://iam.googleapis.com/locations/global/workforcePools/exampleco-test-pool/*. That is all that is required for this step. If, however, you wish to use multiple resources in StrongDM for this GCP console, each with a differing level of access provided, you should modify this line to include the third attribute that you mapped in step 4. At the end of that value, instead of the * after your pool name, type the <TAG> that you intend to use for this mapping followed by the value that you are setting up access for right now, such as /attribute.gcp_role/admin. See the Example Scenario for more details.
8. Now you can search within the Select a role field and find the level of access you wish to map to this StrongDM resource and save the principal. These steps can be repeated any number of times desired to add multiple principals to an individual grant.

Admin UI setup #

To set up GCP as a cloud resource in the StrongDM Admin UI, go to Resources > Clouds in the Admin UI and click the Add cloud button.

Set the following properties:

Example Scenario #

The organization ExampleCo wishes to provide three levels of access to their GCP Web Console. The names they have chosen for these levels of access are auditor, developer, and admin. They would also like to provide their developers access to the GCP console via the gcloud CLI.

In StrongDM, ExampleCo has three different “GCP Web Console (Workforce Identity Federation)” resources created, all with identical configuration information except for their tags. ExampleCo has chosen to use the tag gcp_role to indicate what level of access the users of this resource should have within GCP. When mapping SAML assertions to GCP attributes, their third attribute is attribute.gcp_role, mapped to assertion.attributes.sdm_resource_tag_gcp_role[0]. Their GCP resources in StrongDM are tagged with gcp_role=admin, gcp_role=developer, and gcp_role=auditor respectively. They also have one GCP (Workforce Identity Federation) resource created and tagged with gcp_role=developer to provide developers with gcloud CLI access as well.

In the GCP Web Console, under IAM > Grant Access, they have three corresponding principals. The string used for each principal is in the format of principalSet://iam.googleapis.com/locations/global/workforcePools/<POOL_ID>/<TAG>/<TAG_VALUE>. The three principals that ExampleCo needs are:

• principalSet://iam.googleapis.com/locations/global/workforcePools/exampleco-test-pool/attribute.gcp_role/admin
• principalSet://iam.googleapis.com/locations/global/workforcePools/exampleco-test-pool/attribute.gcp_role/developer
• principalSet://iam.googleapis.com/locations/global/workforcePools/exampleco-test-pool/attribute.gcp_role/auditor

When a user is granted access in StrongDM to a resource, the tag on that resource dictates which principal that user is mapped to, and thus, what access they have while interacting with the GCP Web Console.

In addition to granting access to all of the principals within a pool, or, as in this scenario, all of the principals within the pool that have a particular matching attribute, you may also grant access to particular principals based on their google.subject. You can review the Google Cloud documentation on Principal Identifiers for more details.

Logs #

For logs of access to a GCP CLI/SDK resource, in the Cloud logs section of the Admin UI (Logs > Cloud), you can find all of the activities of users connected through StrongDM. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI.

For GCP Web Console resources, access is logged, but further activities on the Web Console are not logged by StrongDM. Consult your GCP logs for further information on user activity.

GCP Web Console Usage #

In order for your organization’s users to access the GCP Web Console resource via StrongDM, users need to install the following:

• StrongDM Desktop application

Once the user has clicked to connect to the resource in the desktop app, or once the user has run sdm connect <RESOURCE> in the CLI, they can then open the GCP Web Console by clicking the button in the desktop app or manually opening the resource’s *.sdm.network URL in a web browser. If you are not using the desktop app, you can obtain this URL by running sdm status at the command line while logged in to StrongDM. The GCP Web Console entries have a URL in their results row.

GCP CLI/SDK Usage #

When the resource is created and configured, you are ready for users to connect to the resource. In order for your organization’s users to access the GCP cloud resource via StrongDM, users need to install the following:

• The StrongDM Desktop application
• The latest version of the StrongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the desktop app and click the Upgrade button.
• The gcloud command-line tool

After installation, users must exit and restart the desktop app, and then select the GCP cloud resource to connect to.

Click to connect to the resource in the desktop app, or run sdm connect <RESOURCE> in the CLI. Once connected, users can use gcloud through StrongDM at their terminal, with the base syntax of sdm gcp or sdm gcloud instead of the usual gcloud.

You can use sdm gcp --help (or sdm gcloud --help) to view example usage and command options:

NAME:
   sdm gcp - gcp commands

USAGE:
   sdm gcp command [command options] [arguments...]

COMMANDS:
   cli  Execute a gcloud CLI command against a GCP resource.
   env  Print environment variables required to access a GCP resource.
   run  Execute an external command with environment variables configured to access a GCP resource.

OPTIONS:
   --name value     The name of the GCP resource to access. By default if there is only one connected GCP resource, that resource is used. [$SDM_GCP_NAME]
   --project value  The ID of the GCP project to access for project commands. By default, the project configured in the GCP resource is used. (default: "strongdm") [$SDM_GCP_PROJECT]
   --help, -h       show help

gcp cli #

The gcp cli command is followed by a gcloud CLI command that you wish to run against your connected GCP resource. For more information about gcloud CLI commands, see the Google Cloud CLI documentation.

gcp env #

The gcp env command outputs the environment variables that are required in order to access a GCP resource. This output is a similar format of the output of the standard env command, but only contains the relevant environment variables for connecting to GCP.

gcp run #

The gcp run command is followed by a command that you wish to run against the connected resource, which is sent along with the necessary environment variables. An example of a use for gcp run would be if you have a pre-existing script for managing GCP resources that uses gcloud commands. Instead of altering the script to work with StrongDM, you could use gcp run shellscript.sh and run the script.

–name #

If your organization has multiple GCP cloud resources, and you are connected to more than one at once, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm gcp --name <RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single GCP cloud resource connected.

–project #

As a convenience to users, administrators can set a GCP Project ID on a resource during configuration. This enables users to skip the --project flag when running commands against a GCP CLI/SDK (Workforce Identity Federation) resource. If the Project ID field is not filled out during resource configuration, users still need to specify a project in the situations that they normally would when running GCP commands. Either the project number (95464132584) or an actual Project ID (example-favorite-project-1411) can be used, but Google recommends the Project ID for most cases as the best practice.

Error cases #

Should you attempt to use a cloud resource without the client running, you encounter an error such as the following:

ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10c7c9d30>: Failed to establish a new connection: [Errno 61] Connection refused')))

Should you attempt to use a cloud resource when you are not connected to it, StrongDM’s CLI commands warn you. You can get around this warning in some contexts (for example, by setting environment variables in your terminal). In these cases, you may encounter SSL errors, and nothing happens when you run commands.