Secure Service Consumption on GCP

• Google Cloud Platform
• Security

Last updated on May 14, 2025 by alperdedeoglu

This architecture provides guidance for enabling secure and scalable access from external workloads—such as SAP BTP, to Google Cloud Platform (GCP) services using Workload Identity Federation with OpenID Connect (OIDC).

Traditional approaches rely on long-lived service account keys, which introduce operational overhead and security risks. Instead, this setup allows external identities to authenticate to GCP without storing or rotating keys, using short-lived tokens issued by a SAP IAS.

This model significantly reduces credential management complexity, supports least-privilege access, and aligns with zero trust principles.

Architecture

Copy to clipboard

Solution Diagram Resources

You can download the Solution Diagram as a .drawio file for offline use. Alternatively, you may view and edit the Solution Diagram directly on draw.io.
Please note that any changes made online will need to be saved locally if you wish to keep them.

DownloadEdit

Prerequisites

SAP Identity Authentication Service (IAS) must be configured as an OIDC provider in Google Cloud Workload Identity Federation, as described in this guide.

Flow

Once prerequisites are in place, the runtime authentication flow proceeds in four main steps:

1. Obtain OIDC Token from SAP IAS
   The workload authenticates against SAP IAS using a valid mechanism (e.g., certificate or client credentials). IAS issues an OIDC-compliant JWT with the necessary identity claims.

2. Exchange OIDC Token via Google STS
   The workload sends the IAS-issued token to Google Cloud's Security Token Service (STS), along with the identity pool and provider information.

3. Impersonate a GCP Service Account
   If the identity is authorized, STS returns federated credentials that allow the workload to impersonate the mapped GCP service account.

4. Access Google Cloud Resources
   The workload uses the short-lived federated credentials to access Google Cloud services, within the scope of IAM roles and session policies assigned to the service account.

Characteristics

Characteristic	Description
Authentication Type	OpenID Connect JWT Token
Credential Handling	No certificate management required
Best Fit For	User-centric applications, UIs, or apps already using SAP IAS
Federation Support	Can federate with corporate IdPs via IAS
Token Lifetime / Credential Rotation	Token-based (short-lived, configurable)
Complexity	Very low implementation complexity
Security Posture	Token validation + audience matching
SAP BTP Compatibility	Ideal for workloads having a SAP IAS application

Services and Components

Component	Platform	Description
SAP IAS	SAP	Acts as the trusted OIDC identity provider, issuing identity tokens
Cloud IAM	GCP	Manages access control via roles and bindings to service accounts
Security Token Service (STS)	GCP	Receives and verifies OIDC tokens, returns temporary credentials
Service Account	GCP	The target identity in GCP that is impersonated via federation

Resources

• What is Workload Identity Federation? - GCP A short overview video from Google Cloud Tech to understand how Workload Identity Federation in GCP works.

• SAP Identity Authentication Service (IAS) Overview
  A foundational resource to understand how SAP IAS and OIDC authentication works.

• GCP Workload Identity Federation Documentation
  A comprehensive guide on how to configure workload identity federation in GCP.

• Google Cloud IAM Overview
  General information about Google Cloud IAM, including federation, identity management, and access control.

• OIDC (OpenID Connect) Specification
  A good resource to learn the core concepts of OIDC and how it works.