Using an External Account

You can configure the connector to authenticate the connection with an external account (workforce identity federation), with limited support, using Azure AD and Okta identity providers.

To authenticate your connection this way, you must have workforce identity federation set up with Azure AD or Okta, and provide a configuration file in the connection string. The configuration file can be downloaded from the Google API Console. For example, the following is the required format of the configuration file:

{

"type": "external_account",
"audience": "//iam.googleapis.com/locations/[LOCATION]/workforcePools/[WORKFORCE_POOL_ID]/providers/[PROVIDER_ID]",
"subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
"token_url": "https://sts.googleapis.com/v1/token",
"workforce_pool_user_project": "[WORKFORCE_POOL_USER_PROJECT]",
"credential_source": {
"file": "[PATH_TO_OIDC_CREDENTIALS]"
}
}

The above properties are defined as follows:

  • audience is the audience URI of the identity provider pool.
  • subject_token_type is the type of token stored in the credential source.
  • token_url is the endpoint to which a request is sent to exchange the ID token in the credential source, for a Google Cloud Platform access token.
  • workforce_pool_user_project is the Google Cloud Platform project to which the token exchange request is executed.
  • credential_source are the defined requirements and entities required for obtaining a subject token.

Further details are as follows:

  • subject_token_type and token_url can be defaulted to the values shown in the above example, and can be selectively excluded.
  • credential_source supports several forms, but the connector requires that the provided source is assigned to a plaintext file path, where the OIDC subject token is stored. This file must be regularly updated with a new subject token, as subject tokens expire and cannot be used to obtain access tokens. The contents of the file must be the subject token only, otherwise the exchange will fail. For example:

    "file": "[PATH_TO_TEXT_FILE_WITH_SUBJECT_TOKEN]"

    Note: For additional examples, see "Configure Workforce Identity Federation with Azure AD and Sign In Users" and "Configure Workforce Identity Federation with Okta and Sign In Users" in the Google Cloud documentation: https://cloud.google.com/iam/docs/workforce-sign-in-azure-ad and https://cloud.google.com/iam/docs/workforce-sign-in-okta, respectively.

Configure Workforce Identity Federation Authentication Using the KeyFilePath Property

  1. Set the OAuthMechanism property to 4.
  2. Set the KeyFilePath property to the full path of the external account configuration file. For example:

    Driver=Simba ODBC Driver for Google BigQuery;...;OAuthMechanism=4;KeyFilePath=/tmp/path/to/oidc_configuration_file.json

Configure Workforce Identity Federation Authentication Using the KeyFile Property

  1. Set the OAuthMechanism property to 4.
  2. Set the KeyFile property to either the full path of the external account configuration file, or a raw JSON object containing the configuration file contents. For example:

    Using a file path:
    Driver=Simba ODBC Driver for Google BigQuery;...;OAuthMechanism=4;KeyFile=/tmp/path/to/oidc_configuration_file.json

    Using a raw JSON object:
    Driver=Simba ODBC Driver for Google BigQuery;...;OAuthMechanism=4;KeyFile={{"audience": "//iam.googleapis.com/locations/[LOCATION]/workforcePools/[POOL_ID]/providers/[PROVIDER_ID]","workforce_pool_user_project": "[PROJECT_ID]","credential_source": {"file": "[PATH_TO_SUBJECT_TOKEN_FILE]"}}}}}

Configure Workforce Identity Federation Authentication Using BYOID_ Properties

  1. Set the OAuthMechanism property to 4.
  2. Set the appropriate BYOID_ property to reconstruct the configuration file internally. The following table lists the available properties and their default values:
    3. Property Name SQL Default Value

    BYOID_AudienceUri

    None

    BYOID_CredentialSource

    None

    BYOID_PoolUserProject

    None

    BYOID_SubjectTokenType

    urn:ietf:params:oauth:token-type:id_token

    BYOID_TokenUri

    https://sts.googleapis.com/v1/token

    Each of the above properties are strings that represent a field present in the configuration file, with the exception of BYOID_CredentialSource , which is a string with a JSON object. For example:

    Driver=Simba ODBC Driver for Google BigQuery;...;BYOID_AudienceUri=//iam.googleapis.com/locations/global/workforcePools/testpool-1/providers/okta-provider-1;BYOID_PoolUserProject=898755234664;BYOID_CredentialSource={{"file": "Tests/OAuth/okta_subject_token.txt"}}}

    The above example shows the minimum properties required in the connection string. The subject_token_type and token_url properties are absent, to demonstrate that the connector will use the default values. If the corresponding BYOID_ property (BYOID_SubjectTokenType or BYOID_TokenUri) is set, the connector will use these properties.

    For more information about these properties, see Configuration Options Having Only Key Names.

Note:

  • For more information about using external accounts, see "Workforce Identity Federation" in the Google Cloud documentation: https://cloud.google.com/iam/docs/workforce-identity-federation.
  • When the connector is configured to use External Account Authentication (OAuthMechanism=4), connection properties are considered in the following precedence:
    1. KeyFile
    2. KeyFilePath (or KeyFilePath_Enc if the key file is not set)
    3. BYOID_ properties
  • It is recommended to set the corresponding BYOID_ property in the configuration file. These properties are intended to act as an option for customers who cannot specify .json key files to pass to the KeyFile property.