Configuring Workload Identity Federation Authorization
As of Manufacturing Connect Edge version 3.11.3 and Manufacturing Connect version 2.17.0, you have two options for configuring the service account key parameter in the Google Pub/Sub connector: GCP SA Key Authentication and GCP Workload identity federation (OIDC).
Each Google service account is associated with a public/private RSA key pair. The Service Account Credentials API uses this internal key pair to create short-lived service account credentials, and to sign blobs and JSON Web Tokens (JWTs). This key pair is known as the Google-managed key pair.
In addition, you can create multiple public/private RSA key pairs, known as user-managed key pairs, and use the private key to authenticate with Google APIs. This private key is known as a service account key.
See Service account keys to learn more.
Workload Identity Federation allows you to can grant on-premises or multi-cloud workloads access to Google Cloud resources without using a service account key. You may select to use this option because service account keys are powerful credentials, so they can present a security risk if they are not managed correctly.
With identity federation, you can use Identity and Access Management (IAM) to grant external identities IAM roles, including the ability to impersonate service accounts. This approach eliminates the maintenance and security burden associated with service account keys.
A workload identity pool is an entity that lets you manage external identities. You will review and have the option to customize this parameter when setting up these credentials.
A workload identity pool provider is the entity that describes the relationship between Google Cloud and your identity provider (IdP).
Workload identity federation follows the OAuth 2.0 token exchange specification. You provide a credential from your IdP to the Security Token Service, which verifies the identity on the credential, and then returns a federated token in exchange.
See the following to learn more:
If you have Manufacturing Connect Edge 3.11.3 and Manufacturing Connect 2.17.0, there are two ways to use Workload Identity Federation (WIF) Authorization.
When activating Manufacturing Connect Edge devices with Manufacturing Connect, the default Google Pub/Sub connector that is automatically created and provisioned during activation can use Workload Identity Federation authorization. To do this, you will need to configure the Cloud Settings in the Manufacturing Connect Admin Console to use GCP Workload identity federation (OIDC). See Cloud Settings to learn more. Once the Cloud settings are configured, complete the steps to Activate an Edge Device.
Method 2: Configure Google Pub/Sub Connector that Uses Workload Identity Federation Authorization with New Pub/Sub Topic
If needed, you can configure the provisioned Google Pub/Sub connector with a new default Pub/Sub topic.
To configure new Google Pub/Sub connectors with WIF authorization:
- Configure Manufacturing Connect with Workload Identity Federation authorization. See Cloud Settings to learn more.
- Activate the respective Manufacturing Connect Edge device with Manufacturing Connect. See Activate an Edge Device to learn more.
- In the activated Manufacturing Connect Edge device, navigate to System > Backup/Restore > Template.
- Select all the configurations in the template. Ensure that the Pub/Sub connector is included in the template.
- Click Upload Template.
- Select the file that was downloaded and click Open.
- Navigate to Integration.
- Edit the Google Pub/Sub connector and update the Default topic parameter with the new topic you want to use. See Manage Connectors to learn more.
- Disable and enable the connector.