[jira] [Resolved] (NIFI-10712) External Account Credentials (Workload Identity Federation) support for GCP credential controller service

Fri, 14 Nov 2025 09:48:08 -0800 


     [ 
https://issues.apache.org/jira/browse/NIFI-10712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Peter Turcsanyi resolved NIFI-10712.
------------------------------------
    Resolution: Duplicate

> External Account Credentials (Workload Identity Federation) support for GCP 
> credential controller service
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: NIFI-10712
>                 URL: https://issues.apache.org/jira/browse/NIFI-10712
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>            Reporter: Marcio Sugar
>            Priority: Major
>
> So far with NiFi (1.18.0 is the latest release at the time of writing), we 
> have been able to use only [service account 
> keys|https://cloud.google.com/iam/docs/service-accounts#service_account_keys] 
> as credentials when setting a GCPCredentialsControllerService. 
> Unfortunately, service account keys are powerful credentials, and can 
> represent a security risk if they are not managed correctly.
> To avoid such security vulnerability, organizations that use Google Cloud are 
> starting to move away from sharing service accounts keys with vendors and 
> other external parties, and demanding that [Workload Identity 
> Federation|https://cloud.google.com/iam/docs/using-workload-identity-federation]
>  be used instead.
> Using Workload Identity Federation, one can access Google Cloud resources 
> from Amazon Web Services (AWS), Microsoft Azure or any identity provider that 
> supports OpenID Connect (OIDC) or SAML 2.0.
> The goal of this improvement is to allow all GCP processors in NiFi to work 
> with Workload Identity Federation. That most likely will require changes in 
> the {{{}GCPCredentialsControllerService{}}}, or maybe even the creation of a 
> new, more specialized credentials controller service. 
> Note there is another ticket open for a similar improvement: NIFI-8332, 
> although that one doesn't mention Workflow Identity Federation so they might 
> not overlap entirely.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to