Skip to content

GCP Workload Identity Federation (Manual)

Workload Identity Federation (WIF) lets SailPoint Entro's AWS role impersonate your GCP service account securely - no JSON key file required or stored.

This is the recommended authentication method for security-sensitive environments or organizations that enforce minimal credential storage.

Note

Before starting: Make sure you've already created a GCP service account for SailPoint Entro. If not, complete Steps 1 and 3 of the Console Onboarding guide first, then return here.

  1. Navigate to Workload Identity Federation

    • In the GCP Console, search for "Workload Identity Federation" in the top search bar.

    • Select the result to open the Workload Identity Pools page.

  2. Create a Pool

    • Click + CREATE POOL.

    • Enter a name (e.g., entro-pool) and an optional description.

    • Leave the pool Enabled.

    • Click CONTINUE.

  3. Configure the AWS Provider

    • Under Select a provider, choose AWS.

    • Enter a provider name (e.g., entro-aws-provider).

    • Under AWS Account ID, enter SailPoint Entro's AWS account ID: 937217723901

    • Click CONTINUE, then SAVE.

    • No need to configure attribute mapping.

    Note

    937217723901 is SailPoint Entro's AWS account ID - do not replace it with your own.

  4. Grant Access

    • Once the pool is saved, click GRANT ACCESS.

    • Select Grant access using Service Account impersonation.

  5. Select the Service Account

    Under Select service account, choose the service account you created for SailPoint Entro (e.g., entro-integration).

  6. Set the Attribute Condition

    • Under Attribute name, select aws_role.

    • Under Attribute value, enter the ARN of SailPoint Entro's dedicated AWS role.

    Note

    Where to find the SailPoint Entro ARN: In the SailPoint Entro portal, go to Management → Accounts & Integrations → Add New Account → Google Cloud Platform, then select Workload Identity Federation as the auth method. The ARN will be displayed on that screen. The format will be:

    arn:aws:sts::937217723901:assumed-role/EntroTrustRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    

  7. Complete and Save

    • Confirm the ARN format matches: arn:aws:sts::937217723901:assumed-role/EntroTrustRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    • Click SAVE.

  8. Download the Configuration File

    After saving in the previous step, a dialog will appear:

    • In the dialog, select the AWS provider you configured (entro-aws-provider).

    • Click DOWNLOAD CONFIG.

    • Save the downloaded JSON file — you will upload this to the SailPoint Entro portal during the final onboarding step.

  9. Complete Onboarding in SailPoint Entro

    • In the SailPoint Entro portal, go to Management → Accounts & Integrations → Add New Account → Google Cloud Platform.

    • Select Workload Identity Federation as the authentication method.

    • Enter your Environment name (i.e. Production)

    • Select your Worker Group (Connector)

    • Upload the configuration JSON file downloaded in the previous step.

    • Click Connect Account.

    • Once the status shows Verified, the integration is active.

Note

With WIF configured, SailPoint Entro will never store a static credential. The federation trust is scoped specifically to SailPoint Entro's designated AWS role and your service account - no broader access is granted.