> For the complete documentation index, see [llms.txt](https://docs.zenlytic.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.zenlytic.com/authentication-and-security/google_workload_identity_federation.md). # Google Workload Identity Federation These are the steps a customer needs to take to enable Workload Identity Federation (WIF) to let Zenlytic (hosted in AWS) connect their BigQuery instance (hosted in GCP). 1. Enable the required APIs: **Security Token Service (STS)**, **IAM Service Account Credentials**, and **BigQuery** APIs 2. Create a Workload Identity Pool. You can create this via the console, following these instructions. First, navigate to Workload identity federation and begin the process to create a workload identity pool ![google\_workload\_identity\_federation\_image\_1.png](/files/5EX5MnkykZdFBarX57W7) After clicking Get Started, fill out the next screen ![google\_workload\_identity\_federation\_image\_2.png](/files/4veFDZUQPRNrE4poUAgQ) 3. Next, create the provider and add it to the Pool. Select AWS, and use the Zenlytic AWS account id 734818345323 ![google\_workload\_identity\_federation\_image\_3.png](/files/6xh4pZAGegQJHWxa6d7q) 4. Configure the following two attribute mappings, then click Save at the bottom of the screen. | Attribute | Mapping expression | | -------------------- | ----------------------------------------------- | | `google.subject` | `assertion.arn.extract('assumed-role/{role}/')` | | `attribute.aws_role` | `assertion.arn.extract('assumed-role/{role}/')` | {% hint style="warning" %} **Important:** `google.subject` appears grayed out in the screenshot below as a placeholder — you must explicitly fill it in with the expression above. Do not leave it empty or set it to `assertion.arn`. GCP enforces a **127-byte limit** on `google.subject`. Setting it to `assertion.arn` (the full role ARN including the session UUID) can exceed this limit. Using `assertion.arn.extract('assumed-role/{role}/')` maps only the role name (\~46 bytes), well within the limit. {% endhint %} ![google\_workload\_identity\_federation\_image\_4.png](/files/1LmUftHTfKIBtDuBByH3) 5. Get the principle value to add permissions to in GCP. You will need to follow the format in these [Google Cloud Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation?_gl=1*1a70t2e*_ga*MTA2MzMwNDkwMS4xNzQ4NTMzOTU2*_ga_WH2QY8WWF5*czE3NDg1MzM5NTYkbzEkZzEkdDE3NDg1Mzg1NTEkajQ1JGwwJGgw#impersonation) from Google, which will be: {% code overflow="wrap" %} ```bash principalSet://iam.googleapis.com/projects//locations/global/workloadIdentityPools//attribute.aws_role/ ``` {% endcode %} You will fill in those values with the values you have from this process so far, and one value from the Zenlytic team. * `` is the project number of your GCP project. (e.g. `123456789`) * `` is the id of the pool you've created (note the light grey text in step 2, for this example the value is zenlytic-aws-federation-pool) * `` you will confirm this with your Zenlytic account contact, but the value will follow a pattern like this, which corresponds to the special purpose AWS role Zenlytic will use to call out to your resources (e.g. `-gcp-wif-prod`). We recommend keeping this name short to stay well within GCP's 127-byte limit for `google.subject`. Using those values, the final principle would be {% code overflow="wrap" %} ```bash principalSet://iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/zenlytic-aws-federation-pool/attribute.aws_role/mycompany-gcp-workload-identity-federation-role-prod ``` {% endcode %} 6. Give that principle access to the resources in BigQuery you would like it to have. For example, in the IAM screen, click **"Grant Access"** ![google\_workload\_identity\_federation\_image\_5.png](/files/hGQfQKZP7yAMBhkruem2) Then paste the full url of the principle that you defined earlier in the principle option and hit enter. After you do that, you can give the principle the required roles for BigQuery. Finally, click Save. 7. Download the config for the principle to connect. In the Workload Identity Pool, click Grant Access to get started ![google\_workload\_identity\_federation\_image\_7.png](/files/pVP3onr84E79m05YNLAu) Then leave the first option checked, and click Download config ![google\_workload\_identity\_federation\_image\_8.png](/files/WwX9xkmlmE3bvw8rfc5U) Select the Zenlytic AWS **zenlytic-aws provider**, and click Download config ![google\_workload\_identity\_federation\_image\_9.png](/files/RYsJ1vvlmKzbhcPzd9WX) You will put this config into Zenlytic to configure the connection to BigQuery, after adding the project\_id to the json. 8. Finally, the json will look like {% code overflow="wrap" %} ```json { "project_id": "", // NOTE: You must add this line "universe_domain": "googleapis.com", "type": "external_account", "audience": "//iam.googleapis.com/projects/33333333333/locations/global/workloadIdentityPools/zenlytic-aws-federation-pool/providers/zenlytic-aws", "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request", "token_url": "https://sts.googleapis.com/v1/token", "credential_source": { "environment_id": "aws1", "region_url": "http://169.254.169.21/latest/meta-data/placement/availability-zone", "url": "http://169.254.169.21/latest/meta-data/iam/security-credentials", "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" } } ``` {% endcode %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zenlytic.com/authentication-and-security/google_workload_identity_federation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.