Configuring Workload Identity Federation Authorization

as of manufacturing connect edge version 3 11 3 and manufacturing connect version 2 17 0, you have two options for configuring the service account key parameter in the google pub/sub connector gcp sa key authentication and gcp workload identity federation (oidc) service account keys each google service account is associated with a public/private rsa key pair the service account credentials api uses this internal key pair to create short lived service account credentials, and to sign blobs and json web tokens (jwts) this key pair is known as the google managed key pair in addition, you can create multiple public/private rsa key pairs, known as user managed key pairs , and use the private key to authenticate with google apis this private key is known as a service account key see service account keys to learn more workload identity federation workload identity federation allows you to can grant on premises or multi cloud workloads access to google cloud resources without using a service account key you may select to use this option because service account keys are powerful credentials, so they can present a security risk if they are not managed correctly with identity federation, you can use identity and access management (iam) to grant external identities iam roles, including the ability to impersonate service accounts this approach eliminates the maintenance and security burden associated with service account keys workload identity pools a workload identity pool is an entity that lets you manage external identities you will review and have the option to customize this parameter when setting up these credentials workload identity pool providers a workload identity pool provider is the entity that describes the relationship between google cloud and your identity provider (idp) workload identity federation follows the oauth 2 0 token exchange https //tools ietf org/html/rfc8693 specification you provide a credential from your idp to the security token service https //cloud google com/iam/docs/reference/sts/rest , which verifies the identity on the credential, and then returns a federated token in exchange see the following to learn more workload identity federation iam roles configuring workload identity federation authorization if you have manufacturing connect edge 3 11 3 and manufacturing connect 2 17 0, there are two ways to use workload identity federation (wif) authorization method 1 auto provisoning of google pub/sub connector when activating manufacturing connect edge devices with manufacturing connect, the default google pub/sub connector that is automatically created and provisioned during activation can use workload identity federation authorization to do this, you will need to configure the cloud settings in the manufacturing connect admin console to use gcp workload identity federation (oidc) see cloud settings docid 5qmrck sodaavkptb58kn to learn more once the cloud settings are configured, complete the steps to activate an edge device docid\ m2du1twvne9kz1he r222 method 2 configure google pub/sub connector that uses workload identity federation authorization with new pub/sub topic if needed, you can configure the provisioned google pub/sub connector with a new default pub/sub topic to configure new google pub/sub connectors with wif authorization configure manufacturing connect with workload identity federation authorization see cloud settings docid 5qmrck sodaavkptb58kn to learn more activate the respective manufacturing connect edge device with manufacturing connect see activate an edge device docid 5pzx61w 1kwn6shobesfg to learn more in the activated manufacturing connect edge device, navigate to system > backup/restore > template select all the configurations in the template ensure that the pub/sub connector is included in the template click download template see manage templates docid\ ackyuezijf6ymezlhra7u to learn more click upload template select the file that was downloaded and click open navigate to integration edit the google pub/sub connector and update the default topic parameter with the new topic you want to use see manage connectors docid\ zz28hztqbk7od xsj81o8 to learn more disable and enable the connector