aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Computing
  • Engineering

What Type Of Authentication Is Best For VMs? A Conversation

  • aster.cloud
  • April 15, 2022
  • 7 minute read

 


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

We published another episode of “VM End to End,” which is a series of curated conversations between a “VM skeptic” and a “VM enthusiast”. Every episode, join Brian, Carter, and a special guest as they explore why VMs are some of Google’s most trusted and reliable offerings, and how VMs benefit companies operating at scale in the cloud. Here is a transcript of the episode


 

Carter Morgan: Welcome to another episode VM End-to-End, a show where we have a VM skeptic and a VM enthusiast come together to hash out all things VM-related. Thanks for being here today, Brian.

Brian Dorsey: Happy to be here. What’s the topic for today?

Carter: Oh, you know what it is. I need to know about identity, and I need to know about access. I want to know why I can’t just SSH into everything, or if I can. What can you tell me, Brian?

Brian: Okay. I’ll give a quick answer here, and then I will bring a guest in because I don’t know all the details. One, you can just SSH in. It’s a computer; SSH works with keys, so you’ve got a key pair, and it kind of works as when you have that token, you can get into any machine that the public key’s on. You can just manage those all yourself if you’ve got a system to do that, but it can get to be a lot and get quite complicated, especially as your organization gets larger. We have a way to delegate the creation of those keys to Google’s Identity infrastructure. That is why I wanted to bring in Emanuel, one of our colleagues who focuses on identity and access management. Welcome, Emanuel.

Emanuel Burgess: Brian, thank you for that amazing introduction. How are you today, Carter?

Carter: Yeah, I’m doing well, a little confused, but I think Brian can tell you where my struggles lie.

Brian: Emanuel, what’s the high-level [information] on identity and access management in Google Cloud?

Emanuel: Brian, that’s a great question. Let’s go back to defining what IAM is, right? IAM stands for identity and access management, which means that you can delegate or control who has access to what resources in your Google Cloud account.

Carter: Okay, so you can control who has resources or access to resources. Who’s setting that up?

Emanuel: Well, first, you need to set up a domain. There’s a person that’s called a super admin. The super admin goes into the admin console and sets up your domain. Once they set up your domain, it automatically creates an organization for you. Now, this super admin is a role that can do anything within the admin portal to manage users, create groups, set up multi-factor authentication, and more, all from the admin portal.

Read More  Troubleshooting Application Performance On Cloud Spanner With OpenCensus

Brian: So we’ve got this super admin and domain, and the thing I’m used to looking at the most is projects. How do those connect?

Emanuel: Right. A domain one-to-one maps with an organization, and so if we think of projects, projects sit under an organization. You can think of an organization as a root node within your GCP account. With the root node, you can have things under them like projects and folders, and then you can assign resources to projects.

Carter: Oh. And, I take it, this hierarchal structure is what you use to access different areas?

Emanuel: Absolutely, there you go.

Carter: Then what about if I want a script or something to access Google Cloud’s resources for me? What do I do then?

Emanuel: If you want an external application or workload to access things within Google Cloud, you can use what’s called a service account.

Carter: What’s that?

Emanuel: You can think of a service account as a special account that can interact with APIs within Google Cloud. If we want to put this in context, let’s look at a user account. If I’m a user and have access to Google Cloud, I would go via Chrome to the Google Cloud browser or website, and then I would log in. When I put in my username and password, I’m authenticated. After I’m authenticated, I inherit the permissions or roles attached to a group I’m assigned to. But if I’m an application, I can’t do that, and I can’t go and log into Google Chrome, so I would need a service account to interact with APIs and services within Google Cloud.

Brian: Got it. That makes sense. So we have these organizations that give access to things. If I’m a user, I can get in one way; maybe I can SSH in. If I’m a program, I can connect to other APIs via service accounts. Are there any other ways programs get access?

Emanuel: Yeah. You have service accounts, and then you also have service account keys. Back in the day, in the way, way distant past, we gave external applications access to workloads or resources in Google Cloud using service account keys, but service account keys are problematic. One thing that makes service account keys a poor choice if you’re trying to securely build resources in Google Cloud is that they live on forever. So leaked service account keys can cause a major issue. In theory, whoever has access to your service account keys can impersonate a service account and get access to all the APIs and all the features attached to that service account. Then, in addition to that, this causes a secrets management issue. How do we manage these keys that are just floating around? You have to develop a secrets management strategy to safeguard and provide some peace of mind around these service account keys.

Read More  Introducing SWIFT On Google Cloud

Carter: I never actually thought about some of these downsides of service account keys. I like the saying, these things from the way distant past. I love that. What you just talked about, though, made me think of something. It seems like service accounts are used for resources within Google Cloud. What if I have some service outside of Google Cloud that I want to authenticate into? Is there any way to let Google manage yet?

Emanuel: Well, yeah. We can do that. Let’s say I’m using Terraform to build infrastructure within Google Cloud. For me to do that long ago, I had to give it service account keys. I would set up Terraform, create a provider block, pass it my service account keys, and the service account keys would impersonate a service account within Google Cloud. That worked, but now I have to manage that specific key. Now we can use short-lived credentials, which means we don’t have to worry about managing service account keys. So now, if I want to build infrastructure in Google Cloud using Terraform, I can use short-lived credentials to authenticate Terraform with Google Cloud.

Carter: I love how excited you were to tell me more about these short-lived tokens–

Emanuel: I love it, I love it.

Carter: –because they are helpful. So thank you. All right, but now to the question before. Is it possible to get this kind of security or access to external workloads?

Emanuel: Well, yeah. We also have a feature that’s called workload identity federation. If you have external or outside of Google Cloud workloads that have their own identity provider, you can authenticate using short-lived tokens. What happens is you have an application that gets credentials from its identity provider, and then those credentials are passed to Google’s token service? Google’s token service takes those credentials and creates a short-lived external token it passes to the external application. Now, the external application can access and impersonate a service account within Google Cloud.

Brian: Got it. Okay, so we’ve got a lot of different kinds of access here. We’ve got users, service accounts, short-lived tokens, workload stuff. How do I decide which ones to use in a given situation?

Read More  Worldwide Cloud Spending Up 33% In Q3

Emanuel: I mean, that’s a great question. It all depends. Let’s say once again I’m using Terraform. Suppose I’m a user and have an external application that doesn’t have an identity provider. In that case, I can use short-lived credentials to authenticate that external application and impersonate a service account within Google Cloud. If I have a workload that has an identity provider, let’s say I’m using AWS for my identity provider, or I’m using on-premise Active Directory or Azure Active Directory, or let’s even say I’m using Okta. In those cases, it would be best to use workload identity federation so you can dynamically generate keys and not have to worry about manually generating keys from the gcloud command-line or one of the other methods.

Brian: And then all of this taps into IAM. That’s awesome. So you’ve got a consistent way to look at it, and that’s super cool. If somebody wants to dig in more on this, where should they start?

Emanuel: To get more information about IAM, security best practices, workload identity federation, short-lived credentials, you would go to cloud.google.com/iam/docs.

Carter: Yeah. Thank you so much for coming in, Emanuel! I had never heard of short-lived tokens, I never heard of workload identity federation, and I never really thought about some of the downsides to even service accounts and the long-lived static keys. To recap, would you say using IAM is a best practice?

Emanuel: Absolutely. I think if you’re working in any large organization, setting up IAM using organizations is the best way to go. Now, if you wanted to just play around with Google Cloud, you could sign up with just your Gmail account, but if you did that, that wouldn’t give you access to all the benefits of organizations. If you’re at a large enterprise, organizations to invoke IAM on your Google Cloud account is the best way to go.

Carter: Wow. That’s about all. I learned so much today about workload federation, short-lived tokens, and more. Brian, thanks for bringing Emanuel on. I got to give you props.

Brian: No, thank you, Emanuel. This was great.

Emanuel: I appreciate you, Brian and Carter. Thank you guys for the opportunity.

Carter: Yes. I learned about short-lived tokens and workload federation. If you’re listening at home, leave a comment about something you learned. Thank you, and that’s all for this episode of VM End-to-End.


Special thanks to Emanuel Burgess, Developer Relations Engineer at Google, for being this episode’s guest!

 

By: Carter Morgan (Developer Advocate) and Brian Dorsey (Developer Advocate)
Source: Google Cloud Blog


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Authentication
  • Conversation
  • Google Cloud
  • Security
  • Virtual Machine
You May Also Like
View Post
  • Computing
  • Multi-Cloud
  • Technology

Reliance on US tech providers is making IT leaders skittish

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

TD Synnex named as UK distributor for Cohesity

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more

  • May 28, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Pulsant targets partner diversity with new IaaS solution

  • May 23, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Growing AI workloads are causing hybrid cloud headaches

  • May 23, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Google is getting serious on cloud sovereignty

  • May 22, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that

  • May 20, 2025
View Post
  • Computing
  • Multi-Cloud
  • Technology

Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction

  • May 15, 2025

Stay Connected!
LATEST
  • 1
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • 2
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • 3
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 4
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 5
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 6
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
  • 7
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • oracle-ibm 8
    Google Cloud and Philips Collaborate to Drive Consumer Marketing Innovation and Transform Digital Asset Management with AI
    • May 20, 2025
  • 9
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • notta-ai-header 10
    Notta vs Fireflies: Which AI Transcription Tool Deserves Your Attention in 2025?
    • May 16, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • 1
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • oracle-ibm 2
    IBM and Oracle Expand Partnership to Advance Agentic AI and Hybrid Cloud
    • May 6, 2025
  • college-of-cardinals-2025 3
    The Definitive Who’s Who of the 2025 Papal Conclave
    • May 7, 2025
  • conclave-poster-black-smoke 4
    The World Is Revalidating Itself
    • May 6, 2025
  • 5
    Conclave: How A New Pope Is Chosen
    • April 25, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.