Workload Authenticator for Windows

Workload Authenticator for Windows (WWAuth) lets Windows applications authenticate to Google Cloud using their Active Directory Kerberos credentials. Using WWAuth is an alternative to using service account keys and doesn't require you to manage and store any secrets or keys.

WWAuth acts as a plugin for gcloud, terraform, and other applications that use Google Cloud client libraries and requires no code changes in the application.

Authentication

To let Windows application authenticate using their existing Active Directory credentials, WWAuth combines integrated windows authentication (IWA) and workload identity federation :

1. You configure an application to use WWAuth by pointing the environment variable GOOGLE_APPLICATION_CREDENTIALS to an WWAuth-enabled credential configuration file.
2. The credential configuration file instructs the client library (which is built into the application) to invoke WWAuth every time it needs to authenticate to Google Cloud. This mechanism is called executable-sourced credentials .
3. When invoked by the client library, WWAuth uses the application's Kerberos credentials to authenticate to an Active Directory Federation Services (AD FS) instance, and returns an OAuth token or SAML assertion back to the client library.
4. The client library exchanges the token or assertion against short-lived Google credentials by using workload identity federation.
5. The application uses the short-lived Google Credentials to access resources on Google Cloud.

Configuration

WWAuth includes a user interface that lets you create and edit a WWAuth-enabled credential configuration file:

The user interface also includes the option to test the configuration and check for common misconfigurations: