Using an External Account

You can configure the connector to authenticate the connection with an external account (workforce identity federation), with limited support, using Azure AD and Okta identity providers.

To authenticate your connection this way, you must have workforce identity federation set up with Azure AD or Okta, and provide a configuration file in the connection string. The configuration file can be downloaded from the Google API Console. For example, the following is the required format of the configuration file:

{

"type": "external_account",
"audience": "//iam.googleapis.com/locations/[LOCATION]/workforcePools/[WORKFORCE_POOL_ID]/providers/[PROVIDER_ID]",
"subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
"token_url": "https://sts.googleapis.com/v1/token",
"workforce_pool_user_project": "[WORKFORCE_POOL_USER_PROJECT]",
"credential_source": {
"file": "[PATH_TO_OIDC_CREDENTIALS]"
}
}

The above properties are defined as follows:

  • audience is the audience URI of the identity provider pool.
  • subject_token_type is the type of token stored in the credential source.
  • token_url is the endpoint to which a request is sent to exchange the ID token in the credential source, for a Google Cloud Platform access token.
  • workforce_pool_user_project is the Google Cloud Platform project to which the token exchange request is executed.
  • credential_source are the defined requirements and entities required for obtaining a subject token.

Further details are as follows:

  • subject_token_type and token_url can be defaulted to the values shown in the above example, and can be selectively excluded.
  • credential_source supports several forms, but the connector requires that the provided source is assigned to a plaintext file path, where the OIDC subject token is stored. This file must be regularly updated with a new subject token, as subject tokens expire and cannot be used to obtain access tokens. The contents of the file must be the subject token only, otherwise the exchange will fail. For example:

    "file": "[PATH_TO_TEXT_FILE_WITH_SUBJECT_TOKEN]"

    Note: For additional examples, see "Configure Workforce Identity Federation with Azure AD and Sign In Users" and "Configure Workforce Identity Federation with Okta and Sign In Users" in the Google Cloud documentation: https://cloud.google.com/iam/docs/workforce-sign-in-azure-ad and https://cloud.google.com/iam/docs/workforce-sign-in-okta, respectively.

To configure workforce identity federation authentication using the Key File Path option:

  1. To access authentication options, open the ODBC Data Source Administrator where you created the DSN, then select the DSN, and then click Configure.
  2. From the OAuth Mechanism drop-down list, select External Account Authentication.
  3. In the Key File Path field, type the full path of the external account configuration file.

Note:

  • For more information about using external accounts, see "Workforce Identity Federation" in the Google Cloud documentation: https://cloud.google.com/iam/docs/workforce-identity-federation.
  • When the connector is configured to use External Account Authentication (OAuthMechanism=4), connection properties are considered in the following precedence:
    1. KeyFile
    2. KeyFilePath (or KeyFilePath_Enc if the key file is not set)
    3. BYOID_ properties
  • It is recommended to set the corresponding BYOID_ property in the configuration file. These properties are intended to act as an option for customers who cannot specify .json key files to pass to the KeyFile property.