Add Principal to Service Account in GCP

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

Required User Role: Administrator

Add a principal to your service account and assign the Workload Identity User role for GCP Workload Identity Federation authentication. For more information about principals, see the Google Cloud documentation.

Before you begin:

• Make sure you have a valid GCP account.

To add a principal to your service account:

1. Log into Google Cloud Platform.

2. Select the IAM & Admin tile.

   The IAM page appears.

3. In the left navigation pane, select Service Accounts.

   The Service Accounts page appears.

4. In the row of the service account you are using for Workload Identity Federation, click > Manage Permissions.

   The Permissions tab of the service account appears.

5. In the View By Principals tab, click Grant Access.

   The Grant access to service account panel appears with the following:

   principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*

   • Replace the PROJECT_NUMBER with your project number. Note that you use the project number and not the project ID here.

   • Replace the POOL_ID with the name of the workload pool you created. See Create a GCP Workload Identity Pool and Download the Configuration File.

6. In the Assign Roles section, select the Workload Identity User role.

7. Click Save.

   GCP adds the principal to your service account.