Want to secure workload access to LLMs like ChatGPT? Join Our Webinar | 1 pm. PT on June 18

Blog

How to Securely Authenticate to Google BigQuery Using the Aembit Workload IAM Platform

Aembit policies enhance data warehouse access with scalable, identity-based control, ideal for complex services like BigQuery.
Industry Insights Template 14

In a previous post, we provided a step-by-step approach to implement OAuth 2.0 for secure access to BigQuery, Google’s fully managed, serverless data warehouse, which has become an indispensable tool for businesses seeking to analyze large datasets at rapid speed. 

Today, we are going to share how to implement the Aembit Workload IAM Platform for secure access to BigQuery. Aembit makes the process easier by automating the integration of BigQuery with identity-based access control, utilizing Google Workload Identity Federation. 

This method ensures a secure, seamless connection to BigQuery by leveraging Aembit’s dynamic credential management and conditional access policies, aligning with the security and compliance frameworks essential for handling sensitive data in cloud environments.

Let’s get started!

Prerequisites:

This example assumes that you have a GCP project with BigQuery enabled and data to query, and an Aembit tenant with the Aembit Edge deployed.

Steps:

1. Log into GCP and go to the ‘IAM & Admin -> Service Accounts’ section. This can be accessed directly by going to https://console.cloud.google.com/iam-admin/serviceaccounts

a. Make sure you are in a GCP project which you are authorized to use, for this example, we’re using ‘My Project 84846.’

aembit-service-accounts-interface

b. Click the ‘Create Service Account’ button and specify a name (e.g. BigQuery Demo), customize the ID (optional), and add a description. Then click ‘Done.’

aembit-create-service-account-interface-overview

[If you’d like, additional conditions and limitations can be added to the service account, but are outside the scope of this article.

2) Log into the Aembit platform and go to ‘Credential Providers’ and click the ‘New’ button.

a. Add a credential provider by entering a name and description (optional), and then selecting the ‘Google Workload Identity Federation Credential Type.’

b. Paste in the service account email address from Step #1.

c. If you’d prefer, you can set a custom ‘Audience’ here, but for this demonstration, we’ll come back to the ‘Audience’ after step No. 3 below.

3) Log into GCP and go to the ‘IAM & Admin -> Workload Identity Pools’ section. This can be accessed directly by going to: https://console.cloud.google.com/iam-admin/workload-identity-pools

workload identity pools overview in google clouds

4) Click on the ‘Get Started’ button to create a GCP workload Identity Federation with your Aembit tenant.

Workload identity allows your workload to access google cloud without service account keys.

a. Begin the process by providing an ‘Identity Pool Name’ and description (optional), then click ‘Continue.’

New workload provider and pool interface

b. Now, select the provider type as ‘OpenID Connect (OIDC),’ specify a provider name, and the OIDC issuer URL from the Aembit credential provider you created in step No. 3. Leave the ‘Audiences’ option set to ‘Default’ audience and click ‘Continue.’

aembit-new-workload-provider-and-pool-interface

c. Lastly, specify the provider attribute of assertion.tenant in OIDC 1 and click ‘Save.’

5) Now, let’s grant access from the GCP Workload Identity Federation to the GCP Service Account we created in step No. 2.

a) Within the GCP workload identity pool we just created, click on ‘Grant Access.’

bigquery demo pool details

6) Back in Aembit, on the ‘Credential Provider,’ enter the default audience for your GCP workload identity federation pool and click ‘Save.’

7) Continuing in Aembit, create and configure an access policy that uses the client workload, credential provider, and server workload we’ve created.

aembit-access-policies

8) Now we can verify connectivity.

a) For this demonstration, we’ll use curl from the command line of the Kubernetes Pod which we configured as the client workload and we see that we can successfully retrieve the set of BigQuery data sets available.

Terminal output displaying a cURL command querying Google BigQuery API for dataset information.

Experience the Difference with Aembit

As you consider transitioning from traditional methods to the Aembit Workload IAM Platform for securing access to Google BigQuery, keep in mind the fluidity it will bring to your team. Aembit not only simplifies the authentication process but also provides a more consistent, resilient, and integrated experience, making your data management tasks less cumbersome and more efficient across environments.

Discover how Aembit can transform your experience. Try us for free at aembit.io.

Discover
Aembit logo

The Workload IAM Company

Manage Access, Not Secrets

Boost Productivity, Slash DevSecOps Time

No-Code, Centralized Access Management

You might also like

Discover how these different approaches can work together to protect your organization's sensitive data and ensure seamless operations.
Stolen identity data remains part of a large percentage of breaches, according to the annual landmark report.
The updated framework addresses the need to secure non-human identities. Here's how that can extend across the guidance's five key functions.