When an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment and has domain credentials, there’s a better alternative: we can let it use its NTLM or Kerberos credentials and “exchange” them against Google credentials. To exchange Active Directory credentials against short-lived Google Cloud credentials, the application needs to chain two token exchanges: First, the a...
