Create a GCP Workload Identity Pool and Download the Configuration File

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

Required User Role: Administrator

To create a GCP Workload Identity Federation cloud connector, you must create a workload identity pool in GCP. Add a provider to the pool, grant access to the provider, and download the credential configuration file. You can use this configuration file when configuring the GCP Workload Identity Federation connector. For more information about pools and how they manage external identities, see the Google Cloud documentation.

Before you begin:

  • Make sure you have a valid GCP account.

To create a Workload Identity Pool:

  1. Log into Google Cloud Platform.

  2. In the left navigation bar, select IAM & Admin.

    The IAM page appears.

  3. In the left navigation pane, select Workload Identity Federation.

    The Workload Identity Pools page appears.

  4. Click Create Pool.

    The New workload provider and pool page appears.

  5. In the Create an Identity pool section, do the following:

    1. In the Name box, type a name for the pool.

    2. (Optional) In the Description box, provide a description for the pool.

    3. Click Continue.

  6. In the Add a provider to pool section, do the following:

    1. From the Select a provider drop-down box, select AWS from the list.

    2. In the Provider details box, provide the Tenable AWS account name.

    3. In the AWS account ID box, provide the Tenable AWS account ID.

    4. Click Continue.

  7. In the Configure provider attributes section, click Save.

    GCP creates the pool and opens the newly created pool page.

  8. Click Grant Access.

    The Grant access to service account panel appears.

  9. Select the Grant access using Service Account Impersonation option.

    The relevant sections appear.

  10. In the Service account drop-down box, select the service account.

  11. In the Select principals drop-down box, select aws_role and provide the aws_role arn value.

  12. Click Save.

    The Configure your application dialog box appears.

  13. In the Provider drop-down box, select the workload identity pool provider, then click Download Config.

    GCP downloads the configuration file. Use this file in the Add File section when you create the GCP Workload Identity Federation connector.

What to do next

Create a GCP Connector with Workload Identity Federation Authentication (Discovery Only)