[jira] [Created] (NIFI-10712) External Account Credentials (Workload Identity Federation) support for GCP credential controller service

["Marcio Sugar (Jira)" <ji...@apache.org>]

Marcio Sugar created NIFI-10712:
-----------------------------------

             Summary: External Account Credentials (Workload Identity Federation) support for GCP credential controller service
                 Key: NIFI-10712
                 URL: https://issues.apache.org/jira/browse/NIFI-10712
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Extensions
            Reporter: Marcio Sugar


So far with NiFi (1.18.0 is the latest release at the time of writing), we have been able to use only [service account keys|https://cloud.google.com/iam/docs/service-accounts#service_account_keys] as credentials when setting a GCPCredentialsControllerService. 

Unfortunately, service account keys are powerful credentials, and can represent a security risk if they are not managed correctly.

To avoid such security vulnerability, organizations that use Google Cloud are starting to move away from sharing service accounts keys with vendors and other external parties, and demanding that [Workload Identity Federation|https://cloud.google.com/iam/docs/using-workload-identity-federation] be used instead.

Using Workload Identity Federation, one can access Google Cloud resources from Amazon Web Services (AWS), Microsoft Azure or any identity provider that supports OpenID Connect (OIDC) or SAML 2.0.

The goal of this improvement is to allow all GCP processors in NiFi to work with Workload Identity Federation. That most likely will require changes in the {{{}GCPCredentialsControllerService{}}}, or maybe even the creation of a new, more specialized credentials controller service. 

Note there is another ticket open for a similar improvement: NIFI-8332, although that one doesn't mention Workflow Identity Federation so they might not overlap entirely.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)