GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Workload Identity Should Be Enabled
More Info:
GKE cluster should have Workload Identity enabled
Risk Level
Critical
Address
Security, Reliability, Best Practice
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Workload Identity Should Be Enabled” for GCP using GCP console, please follow the below steps:
-
Open the GCP console and select the project for which you want to enable the Workload Identity.
-
Go to the “IAM & Admin” section from the left-hand side menu.
-
Click on “Service Accounts” from the IAM menu.
-
Select the service account for which you want to enable Workload Identity.
-
Click on “Edit” from the top menu bar.
-
Scroll down to the “Identity and API access” section.
-
Click on the “Enable Workload Identity” checkbox.
-
Click on “Save” to enable the Workload Identity for the selected service account.
-
Repeat the above steps for all the service accounts in your GCP project.
Enabling Workload Identity for all the service accounts in your GCP project ensures that your applications running on GCP can securely access other Google Cloud services without the need for managing and storing service account keys.
To remediate the misconfiguration “Workload Identity Should Be Enabled” in GCP using GCP CLI, follow the below steps:
- Open the Cloud Shell in GCP console.
- Run the following command to enable the Workload Identity API:
gcloud services enable iamcredentials.googleapis.com
- Create a Kubernetes service account:
gcloud iam service-accounts create [SA-NAME] --description "[SA-DESCRIPTION]" --display-name "[SA-DISPLAY-NAME]"
Replace the [SA-NAME], [SA-DESCRIPTION], and [SA-DISPLAY-NAME] with the desired values.
- Bind the Kubernetes service account to the GCP service account:
gcloud iam service-accounts add-iam-policy-binding [SA-NAME] --member "serviceAccount:[PROJECT-ID].svc.id.goog[namespace/[NAMESPACE]/sa/[SA-NAME]]" --role "roles/iam.workloadIdentityUser"
Replace the [SA-NAME], [PROJECT-ID], and [NAMESPACE] with the desired values.
- Annotate the Kubernetes service account to use the GCP service account:
kubectl annotate serviceaccount --namespace [NAMESPACE] [SA-NAME] iam.gke.io/gcp-service-account=[SA-NAME]@[PROJECT-ID].iam.gserviceaccount.com
Replace the [NAMESPACE], [SA-NAME], and [PROJECT-ID] with the desired values.
- Verify that the workload identity is enabled by running the following command:
kubectl run --rm -i --tty workload-identity-test --image google/cloud-sdk --restart Never -- /bin/bash
- Run the following command to authenticate using the Kubernetes service account:
gcloud auth activate-service-account --key-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- Run the following command to verify that the authentication was successful:
gcloud auth list
If the authentication was successful, you should see the Kubernetes service account listed.
These steps should remediate the misconfiguration “Workload Identity Should Be Enabled” for GCP using GCP CLI.
To remediate the “Workload Identity Should Be Enabled” misconfiguration in GCP using Python, follow these steps:
-
Install the necessary libraries:
pip install google-auth google-auth-httplib2 google-auth-oauthlib google-cloud-storage -
Set up an authentication method for your GCP account. You can either use a service account or your own user credentials.
-
Create a Python script that will enable Workload Identity for your GCP project. Here’s an example script that you can modify according to your needs:
from google.oauth2 import service_account from googleapiclient.discovery import build # Set up authentication credentials = service_account.Credentials.from_service_account_file( 'path/to/service_account.json') # Set up the Cloud IAM API client service = build('iam', 'v1', credentials=credentials) # Set up the request body body = { 'projectId': 'your-project-id', 'enabled': True } # Send the request to enable Workload Identity response = service.projects().setWorkloadIdentityPoolConfig( name='projects/your-project-id', body=body ).execute() # Print the response print(response) -
Replace
'path/to/service_account.json'with the path to your service account file. -
Replace
'your-project-id'with the ID of the GCP project that you want to enable Workload Identity for. -
Save the Python script and run it using the command
python script_name.py. -
Verify that Workload Identity has been enabled for your GCP project by checking the Cloud IAM page in the GCP console.