Back to Home

Provide short-lived credential using OIDC Federation between AWS and GCP

| February 24, 2024 | 4 min to read


Using static and long-term credentials like IAM Access Key for AWS or Service Account Key for GCP could be easier to setup. However, once those credentials are leaked, unauthorized parties can get access to your resources and the revocation would be strenuous.

Therefore, the usage of short-lived dynamic credentials is urged. Since there is no static value to be stored/distributed, the related information would be harder to be leaked. This would also come with attribute based mapping and filtering that facilitate to the more granular access control.

In this example, I would like to cover the usage of AssumeRoleWithWebIdentity and WI Federation between AWS and GCP to avoid having hardcoded credentials shared amongst each resources.


You need to have following tools installed before proceed:

  1. gcloud CLI
  2. AWS CLI
  3. Python3. Ensure to also enable pip, pipenv, and virtualenv
  4. Terraform

In my case, all of those tools were installed and managed by asdf except terraform which is managed by tfenv .


All sample codes and scripts are stored in this repository - https://github.com/franzramadhan/franzramadhan-dot-dev-materials/tree/master/02-gcp-to-aws-short-lived-credential .

Check and adjust accordingly based on your need. If you think my example aligns with what you need, you can simply check the README and set the mandatory files and variables.

Authenticate to AWS from GCP using AssumeRoleWithWebIdentity

“AssumeRoleWithWebIdentity returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.”

In order to enable AssumeRoleWithWebIdentity, we need to obtain service account credentials on Google Cloud and exchange it to the AWS role credentials.

Action Items

  1. Create a service account in GCP

  2. Get and note the service account unique id

  3. Create IAM role in AWS

  4. In the assume_role_policy, set to allow federated access from google account as well as service account unique id only. Something like this:

         "Version": "2012-10-17",
         "Statement": [
                 "Effect": "Allow",
                 "Principal": {
                     "Federated": "accounts.google.com"
                 "Action": "sts:AssumeRoleWithWebIdentity",
                 "Condition": {
                     "StringEquals": {
                         "accounts.google.com:aud": "<service-account-unique-id>>"
  5. Once it’s completed. You can get the credential by sourcing from our script as the external process. See source credentials with an external process .

AssumeRoleWithWebIdentity Material Resources

You can get a quick overview of the steps above by looking into these resources:

Workload Identity Federation from AWS to GCP

Using workload identity federation, workloads that run on AWS and Azure can exchange their environment-specific credentials for short-lived Google Cloud Security Token Service tokens.

For the complete picture and setup, you can look from this official GCP Documentation for Configure workload identity federation with AWS or Azure .

To simplify the steps, in order to allow the AWS IAM role to attain service account credential via workload identity we need to do following sequences:

  1. Create workload identity pool
  2. Create workload identity pool provider for AWS and set the allowed source AWS account ID
  3. In workload identity pool provider, do following:
    • Create attribute mapping between AWS STS assumed-role credential and google subjects
    • Create attribute condition to only allow specific role making the authentication attempt
  4. Grant access of this workload identity pool to the service account. Select which attribute that will be used as identifier.
  5. Once it all sets and you have the IAM role credential, you can use the script provided in the materials to generate a service account access token that will be used as google-cloud auth credential

Workload Identity Federation from AWS to GCP Material Resources

You can get a quick overview of the steps above by looking into these resources:


You can also check the code in this repository. Feel free to change it as you like.

Open in Cloud Shell