Marcio Sugar created NIFI-10712:
-----------------------------------
Summary: External Account Credentials (Workload Identity
Federation) support for GCP credential controller service
Key: NIFI-10712
URL: https://issues.apache.org/jira/browse/NIFI-10712
Project: Apache NiFi
Issue Type: Improvement
Components: Extensions
Reporter: Marcio Sugar
So far with NiFi (1.18.0 is the latest release at the time of writing), we have
been able to use only [service account
keys|https://cloud.google.com/iam/docs/service-accounts#service_account_keys]
as credentials when setting a GCPCredentialsControllerService.
Unfortunately, service account keys are powerful credentials, and can represent
a security risk if they are not managed correctly.
To avoid such security vulnerability, organizations that use Google Cloud are
starting to move away from sharing service accounts keys with vendors and other
external parties, and demanding that [Workload Identity
Federation|https://cloud.google.com/iam/docs/using-workload-identity-federation]
be used instead.
Using Workload Identity Federation, one can access Google Cloud resources from
Amazon Web Services (AWS), Microsoft Azure or any identity provider that
supports OpenID Connect (OIDC) or SAML 2.0.
The goal of this improvement is to allow all GCP processors in NiFi to work
with Workload Identity Federation. That most likely will require changes in the
{{{}GCPCredentialsControllerService{}}}, or maybe even the creation of a new,
more specialized credentials controller service.
Note there is another ticket open for a similar improvement: NIFI-8332,
although that one doesn't mention Workflow Identity Federation so they might
not overlap entirely.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
