Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com
Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com
Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com
Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com
Before we can call a Google API, we have to obtain an OAuth access token. As we learned before, there are different types of access tokens, and service account access tokens are a little different from user access tokens. The vast majority of Google Cloud APIs don’t discriminate between these two types of token and work with both. But beyond Google Cloud, there are still many Google APIs that don’t accept service account access tokens. If we want to use these APIs in an unattended scenari...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Given an OAuth client ID such as 1234567890-9iuxy238472ny4qmfad0ppg77s61vabo14j0s.apps.googleusercontent.com, how can we find out which Google Cloud project the OAuth client belongs to? If we look closely at OAuth client IDs, we notice that they follow a common pattern: NUMBER-GIBBERISH.apps.googleusercontent.com This pattern isn’t a coincidence: NUMBER is the project number of the Google Cloud project that the OAuth client belongs to, and GIBBERISH identifies the individual Client ID withi...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Google Cloud IAM implements discretionary access control, meaning each resource - be it a folder, project, or VM - has an IAM policy. We can think of this policy as an access control list, outlining who can access the resource and what actions they’re permitted to take. This model is extremely flexible. But as we scale, management can become a challenge: As the number of resources, IAM policies, and users grow, controlling access on a per-resource, per-user basis quickly becomes unviable. T...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
The primary focus of JIT Access has been privileged access management (PAM) – enabling users to request just-in-time privileged access to Google Cloud projects on a temporary basis. When I published the project in 2022, Google Cloud didn’t provide any such capabilities as part of the platform, so the project filled an important gap. With Privileged Access Manager in preview now, that situation has changed and managing just-in-time privileged access is now a platform feature. This raises t...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Allowing users to connect to Google Cloud VMs using SSH is convenient and often unavoidable. But it’s not without risks. In a new set of articles published on the Google Cloud website, I cover a range of best practices that we can use to better secure SSH access to our VM instances and protect our workloads: Controling network access describes best practices for implementing zero trust access for SSH, and avoiding VMs from being more exposed than necessary. Controling SSH login access cover...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Libssh2 lets us choose between multiple different crypto backends. On Windows, an attractive option is to use the WinCNG backend. CNG is part of the operating system, it’s maintained by Microsoft and serviced by Windows update, and reusing OS functionality helps us keep our binaries small. However, the WinCNG backend used to have a significant limitation: it lacked support for ECDSA. Given the widespread use of ECDSA for host and user authentication, this limitation often made OpenSSL a mor...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When users sign in to an application that uses Google OAuth or OpenID Connect, they typically see a consent screen. But there’s more than one type of consent screen, and the type of consent screen that users end up seeing not only depends on the publisher, but also on the administrative controls applied on the consumer side. Let’s take a look at the various consent screens that we might see as a user: No consent: We might see no consent screen at all. This happens when the application doe...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Using workload identity federation, we can let Azure-hosted applications authenticate to Google Cloud using their managed identity, no service account keys required. More specifically, we can configure the Google Cloud client libraries so that they don’t look for a service account key, but instead obtain an Azure access token and exchange it against a Google Cloud access token. Setting up workload identity federation with Azure typically involves 4 steps: Creating an app registration in Ent...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Microsoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice: GCP guidance: Use Identity-Aware Proxy (IAP) Desktop to create an access path (a connection session) to the compute instance for privileged tasks. IAP Desktop allows RDP and SSH connectivity to your destination hosts through port forwarding. Furthermore, Linux compute instances that are external facing may be connected to through a SSH-...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Modern web applications typically use OAuth or OpenID Connect to authenticate users, but older intranet applications often still rely on Integrated Windows Authentication (IWA) to deliver a single sign-on experience for users. The authentication protocol used for IWA is not always clear: IWA can use NTLM, Kerberos, or both, depending on how the application is configured. This ambiguity can become a problem when we try to migrate the application to Google Cloud and want to deploy it behind a l...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Using workload identity federation, we can let an AWS-hosted application authenticate to Google Cloud using its AWS credentials, no service account keys required. Or, more specifically, we can configure the Google Cloud client library to take the application’s AWS credentials, perform a token exchange, impersonate a Google Cloud service account, and use the service account’s identity to make Google API calls. Setting up workload identity federation and configuring an application to use it...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Before a workload can access Google Cloud APIs, it needs to authenticate and obtain an access token. For a workload that runs on Google Cloud, we can attach a service account to the compute resource that runs the workload, and that lets the workload authenticate without any additional secrets or keys. But for IoT devices or on-premises workloads, it’s more difficult. One way to authenticate IoT devices and on-premises workloads is to let them use service account keys. However, service accou...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When we have an AWS or Azure workload that needs to access Google Cloud resources, we can let the workload use workload identity federation to authenticate in a key-less fashion. But workload identity federation isn’t limited to authenticating workloads between cloud providers. There are many other scenarios where it can be interesting to use workload identity federation, for example: A CI/CD system that deploys or manages Google Cloud resources. A business intelligence or reporting applica...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
To obtain an access token or ID token for a user, we need a Client ID and secret. Using these client credentials, we can initiate an OAuth code flow to let the user authorize our app, and as a result, we get an access token. If we use the right parameters, we also receive an ID token and refresh token. If we look at the tokens we receive, we can see which Client ID they were issued to: The ID token contains an azp (authorized party) and aud (audience) claim, and they both contain the client I...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Whenever we want to call a Google or Google Cloud API, we need an access token. But there’s more than one way to obtain an access token, and depending on which way we use, the resulting access token might behave a little differently. What kinds of access tokens are there, and how do they differ? Whenever we encounter a new kind of token, or want to learn more about a specific type of token, it’s helpful to look at four properties: Format: Is the token opaque, or can we (as the user or cli...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Version 1.2 of JIT Access now supports multi-party approval: When granting eligible access, we can now decide whether to allow a user to activate the access by themselves (self-approval), or whether they need approval from another user (multi-party approval). Eligible role bindings JIT Access works by adding the notion of eligible role bindings to Cloud IAM. Unlike a regular IAM role binding, an eligible role binding doesn’t grant the user access to a project yet: Instead, a user first has ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When an on-premises application needs to access Google Cloud, it’s tempting to just let it use a service account key. But if the application runs in an Active Directory environment and has domain credentials, there’s a better alternative: we can let it use its NTLM or Kerberos credentials and “exchange” them against Google credentials. To exchange Active Directory credentials against short-lived Google Cloud credentials, the application needs to chain two token exchanges: First, the a...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
With Just-in-Time Access, we can implement just-in-time privileged access management on Google Cloud by allowing users to temporarily elevate their access to certain projects. The application relies on the notion of eligible role bindings: These are role bindings with a special IAM condition, has({}.jitAccessConstraint). Once we grant a user such an eligible role binding, that role starts to show up in the JIT Access application, and the user can request to activate the role temporarily. But ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Any call we make against a Google API is charged against a project quota. Depending on the API that we’re using, that project quota might limit the frequency of calls, the total number of calls, or even the number of calls per user. But which project’s quota is it that’s being charged? To find out, we need to distinguish between two classes of APIs: Resource-oriented APIs are APIs that operate on resources that belong to a Google Cloud project. Examples for such APIs include the Compute...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
To implement role-based access control to Google Cloud resources, it’s often useful to create a set of groups, where each group represents a role for a certain set of resources. For example, we might create groups such as database reader and database admin that grant access to a set of database-related resources. How can we automate the management of these groups, without granting our automation too much access? Option 1: Using a delegated admin service account Groups are a Cloud Identity o...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When developing applications that use the Google Cloud API, being able to trace and inspect HTTP requests with a tool like Fiddler can be a great debugging aid. But getting Fiddler to work with the Java client libraries can be a bit tricky. Suppose we have a Java application that uses the Resource Manager API to do things like listing Google Cloud projects. To do that, the application uses two libraries: com.google.auth:google-auth-library-oauth2-http for authentication com.google.apis:google...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
The first thing we often do after creating a new Windows VM on Google Cloud is join the VM to Active Directory. Typically, this entails the following steps: Generate Windows credentials Log on by using RDP Initiate the domain join Log on again with a domain user and delete the local admin account created in (1) This process is tedious. And if we forget to perform step (4), we’re also leaving an enabled local administrator account behind. One way to make domain joining less painful is to aut...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When we use a tool like gcloud or IAP Desktop for the first time, we need to authorize it. Google Sign-in then shows us a consent screen that lists all the things the tool might do on our behalf (or more precisely, which scopes we’re authorizing), and and we can decide whether to consent or deny. In the case of gcloud, the consent screen looks like this: Notice that we only have two choices: We can consent to all four scopes by clicking Allow, or we can cancel the process. There’s no inte...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When we run License Tracker for the first time, the tool analyzes the last 90 days of audit logs to determine how many VMs and physical servers we’ve been using. Going back 90 days in history is useful, but can we go back further? License Tracker analyzes the Admin Activity audit logs. These logs are enabled by default and retained for 400 days. So there shouldn’t be anything in the way of going back further in history. Except for Cloud Run. License Tracker uses Cloud Run jobs, which is (...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When we bring our own Windows licenses (BYOL) to Google Cloud, we must keep track of the number of physical servers that we’re using those licenses on. That’s because Windows Server is licensed by core and not by VM. By using sole-tenant nodes, we can control which nodes our VMs run on. A node is an abstraction of a physical server and at any point in time, a node corresponds to exactly one physical server. But the association between nodes and physical servers can change over time: over ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
To deploy software or infrastructure automatically, many deployment pipelines need access to Google Cloud – and the way to accomplish that is to let the pipelines use a service account. Letting a deployment pipeline use a service account to access Google Cloud has some advantages: The lifecycle of a service account is disconnected from the lifecycle of user accounts. By configuring a pipeline to use a service account, we ensure that the pipeline continues to work even if the author of the c...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Update: Libssh2 now supports ECDSA. Libssh2 lets us choose between multiple different crypto backends. But that doesn’t mean these backends are interchangeable. When we build libssh2, we must make a choice on which crypto backend we want to use. The most common choice is probably OpenSSL, but we can also use libgcrypt, mbedTLS, wolfSSL or WinCNG. The last option, WinCNG, is interesting for a few reasons: It’s specific to Windows because it uses the Windows CryptoNG API (CNG) to perform al...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Secure LDAP is a Cloud Identity feature that lets it emulate an LDAP server. From an application’s perspective, Secure LDAP makes Cloud Identity look somewhat similar to Active Directory – but authentication works a little differently. Before we can query Active Directory using LDAP, we typically need to authenticate first. We can do that by providing a username and password (simple authentication) or by using NTLM or Kerberos (SASL authentication). Active Directory doesn’t require us t...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
AWS lets us use access keys to authenticate programmatically. That’s useful for local development, or if we want to let tools access AWS on our behalf. The closest thing to access keys on Google Cloud seem to be service account keys. But are they really that similar? AWS access keys and service account keys have a number of things in common: We can create them to let applications or tools authenticate in an unattended way, and we can revoke them once we don’t need them anymore. For both k...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
The principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? If we grant users all the access they might ever need, then we’re violating the principle of least privilege. But not granting users privileged access at all isn’t an option either. An effective approach to address ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. That can be easier said than done. Google Cloud lets us choose between two ways of managing SSH keys for Linux VMs. The classic (and default) way is to use metadata-based keys, where we upload SSH keys to instance or project metadata. Metadata-based keys are easy to use and understand, but they’re also risky. In fact, metadata-based SSH keys ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Before we deploy an application to Google Cloud, we typically want to test it locally. If the application uses Google Cloud APIs, then we somehow need to ensure that the application can authenticate. We could use a service account key for that, but the best practices for using and managing service accounts (guess who wrote these) advise against that approach: During your daily work, you might use tools such as the Google Cloud CLI, gsutil, or terraform. Don't use a service account to run thes...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Google Cloud lets us enable OS Login for a project by adding an entry to the project’s metadata: gcloud compute project-info add-metadata \ --metadata enable-oslogin=TRUE Project metadata “inherits down” down to all VM instances, so the command above enables OS Login for all VMs in that project. But is that sufficient to enforce the use of OS Login? Or does it leave any loopholes where users can still use metadata-based SSH keys to log in? To find out, we need to take a look at how Comp...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
IAP Desktop uses a UI that’s similar to Visual Studio: We can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows – they always stayed at the center, and IAP Desktop wouldn’t let us rearrange them. This limitation wasn’t accidental: Floating and docking aren’t standard MDI features. Instead, it’s a concept implemented by Visual Studio and DockPanelSuite (the library used by IAP D...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Previously, we explored two ways of authenticating to Google Cloud using Kerberos and NTLM credentials. Both ways involved authenticating to AD FS using Integrated Windows Authentication, obtaining either an OAuth access token or a SAML assertion, and then using workload identity federation: We saw that one advantage of SAML over OIDC is that it lets us propagate additional claims to workload identity federation, including the user’s UPN, SID, and group memberships. But does that justify us...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
A term we commonly encounter in the realm of access management is privileged access. The term seems pretty self-explanatory, but finding a good definition isn’t easy. In the book Privileged Attack Vectors, Morey Haber defines the term privilege as: A special right or permission granted, or available only to, a particular person or group to perform special or sensitive operations upon or within a resource. These are typically associated within information technology as administrator or root ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When an application needs to access Google Cloud APIs, it needs credentials. On Google Cloud, we can attach a service account to the underlying compute resource to let the application obtain credentials. On AWS and Azure, we can achieve something to the same effect by using workload identity federation. But what about on-premises? What Google Cloud, AWS, and Azure all have in common is that they give VMs access to a metadata server, which serves as a conduit between data plane and control pla...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Workload identity federation supports OpenID Connect, so it should be compatible with AD FS. But until recently, workload identity federation didn’t work with AD FS-issued access tokens – only ID tokens worked properly. What was the issue there? For ID Tokens, OpenID Connect is pretty specific about their format: They need to be JSON Web Tokens (JWTs), they must contain certain claims, and they must satisfy certain rules to be considered valid. In contrast, OpenID Connect is pretty lax ab...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When an application that’s running on-premises needs to access Google Cloud services, it needs to authenticate somehow. Typically, it’s best to use workload identity federation for this purpose, but that doesn’t work in all environments. So there’s sometimes no way around using a service account key. The main problem with service account keys is that they are a secret, and that they need to be stored securely. On Windows, one of the best ways to ensure that a cryptographic key can’t...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Before we can call a Google Cloud API, we have to obtain an OAuth access token. We can obtain access tokens for a user (by following the OAuth authorize flow) or for a service account, and most APIs will happily accept both kinds of tokens. But there are some APIs that won’t accept access tokens issued to service accounts. Examples for such APIs include the Cloud Identity API, parts of the Directory API, and several non-Cloud APIs. If we want to use these APIs in an unattended scenario, we ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. rsa-ssh is ubiquitous and still commonly used – but it still relies on SHA1, which led the OpenSSH team to deprecate it a while ago: It is now possible to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release. The s...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
By deploying a web application behind Identity-Aware-Proxy (IAP), we can ensure that an application only receives requests that are authenticated and satisfy the context-aware access rules we’ve configured. In zero-trust lingo, that means IAP is a policy enforcement point. But there are still a few things that the web application needs to do itself. In a previous post, we looked at how IAP works, and saw that IAP injects a special X-Goog-Iap-Jwt-Assertion header into each request that it pa...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
.NET 5 and 6 lets us import RSA public keys in PEM format by using RSA.ImportFromPem. Somewhat surprisingly, there’s no corresponding ExportToPem method that would let us export RSA keys in PEM format. But with some extension methods and a little help from CryptoAPI, we can fill that gap. .NET Core 3.0 and later Although .NET Core 3.0 and newer versions don’t provide a RSA.ExportToPem method, they do provide 2 other useful methods: RSA.ExportRSAPublicKey, which exports a public key as a D...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
In .NET 5 and 6, we can use RSA.ImportFromPem to import a PEM-formatted RSA public key . Older .NET Core versions and .NET Framework don’t offer that functionality – but with some extension methods and a little help from CryptoAPI, we can fill that gap. .NET Core 3.1 and below Although .NET Core 3.1 and older versions don’t support RSA.ImportFromPem, they do support 2 other useful methods: RSA.ImportRSAPublicKey, which imports a public key from a DER-encoded PKCS#1 RSAPublicKey structur...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Workload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. With workload identity federation, we can do things like authenticating to Google Cloud by using an AWS EC2 instance profile or by using an Azure managed identity. But there are also some things to watch out for. To use workload identity federation securely, we must configure it in a way that protects us from threats like: Spoofing: A bad actor might attempt...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
One of the most common uses of PEM files is storing or exchanging public keys. But there is more than one way to store a public key in a PEM file. PKCS#1 RSAPublicKey The oldest and arguably most simple PEM-based file format for public keys is RSAPublicKey. We can recognize RSAPublicKeyfiles by their BEGIN RSA PUBLIC KEY header: -----BEGIN RSA PUBLIC KEY----- MIIBigKCAYEAq3DnhgYgLVJknvDA3clATozPtjI7yauqD4/ZuqgZn4KzzzkQ4BzJ ar4jRygpzbghlFn0Luk1mdVKzPUgYj0VkbRlHyYfcahbgOHixOOnXkKXrtZW7yWG jXPqy...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
One of the more confusing aspects of dealing with public key cryptography is that there are so many different file formats: .key, .pem, .cer, .crt, .p8e, .p8 are just some of the file extensions we commonly encounter, and with PEM, DER, BER, PKCS#1, PKCS#8, there is no shortage of acronyms defining these file formats. So how are they all related? To make sense of this alphabet soup, let’s unpack how some of these standards and formats relate to another. ASN.1 Let’s start with the Abstract...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Let’s assume that we have a number of backend services running in our on-premises environment, and that we’re using AD FS as our identity provider. The backend services expose APIs and expect clients and frontend apps to authenticate using tokens from AD FS. Now we’re developing another frontend app, but this time we deploy it on Google Cloud. How can this app authenticate to the existing backend services? Or more precisely, how can this application authenticate to AD FS and obtain acce...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Let’s assume we have an application that uses KeyCloak for authentication and exposes a set of APIs. To call one of these APIs, a client first has to obtain an access token from KeyCloak, and then pass this access token in the API call. But how does the client application authenticate to KeyCloak? The most common approach is to let the application use the OAuth client_credentials grant in combination with a client secret. That solves the authentication problem, but creates a new problem: We...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When a web application needs to access an OAuth-secured API, it can use the OAuth authorization code flow (aka 3-legged OAuth or 3LO) to obtain access tokens and access the API on the user’s behalf. That’s great for scenarios where an end user is involved, but rarely applicable for unattended applications such as Windows services. When an unattended application needs to obtain OAuth credentials for itself, we have to use the client credentials flow and let the application provide some sor...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
In the last post we looked at how to set up a trust policy and role in AWS so that we can use a Google ID token to authenticate to AWS. But how do we actually use this in C#? The AWS SDK contains a class AssumeRoleWithWebIdentityCredentials – but on closer look, this class turns out to be not too useful since it expects us to provide the input token (the service account’s ID token) in a file. Assuming that out code runs on Cloud Run or on a VM instance, it would make more sense to: Call G...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
By using workload identity federation, we can let applications use AWS credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on AWS and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to AWS? In a case like that, we can use AWS’s AssumeRoleWithWebIdentity, which: Returns a set of temporary security credentials for users who have been authenticated in a mobile ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Windows Server licensing is tricky. That’s particularly true if we want to run Windows Server VMs in the cloud and use existing licenses for it. A key challenge with bringing our own licenses to the cloud (BYOL) is that Windows Server is licensed by physical core (rather than by virtual core) and that we’re only allowed to move licenses from one piece of hardware to another every 90 days. With regular VMs, meeting those license terms is all but impossible. On Google Cloud, sole-tenant nod...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When a web server requires mutual TLS authentication, the default behavior of web browsers is to show a dialog that lets us choose which client certificate we’d like to use. These certificate prompts can become annoying, so browsers provide ways to suppress them: Internet Explorer and Edge Legacy offered a behavior (Don’t prompt for client certificate selection when only one certificate exists, URLACTION_CLIENT_CERT_PROMPT), on-by-default for the Local Intranet Zone. This setting can be c...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both? One way to find out is to check where browsers look for client certificates. While Firefox manages its own certificate store, Chrome, Edge and Internet Explorer defer certificate management to Windows. Windows has two types of certificates stores that are relevant in this context, the local machine store and the current user store: The curr...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When we use a managed service like Google Cloud’s Managed Service for Microsoft Active Directory or AWS Managed Microsoft AD, we don’t get full domain admin access to Active Directory. Instead, the services grant us delegated admin access, which is fairly powerful, but not as powerful as domain admin. One example where the lack of domain admin access can become an issue is AD FS. By default, installing AD FS requires domain admin access, and the deployment wizard refuses to cooperate if w...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
To let applications that run on Google Cloud authenticate to Google APIs, we can attach a service account to the underlying compute resource. Applications can then query the metadata server to get temporary credentials, and use these credentials to access the Google APIs they need. But what if we have an application that runs on AWS and needs access to Google APIs? Attaching a service account obviously won’t work in this case – but we can use workload identity federation to let the applic...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Unlike Google Cloud and Azure, AWS doesn’t use OAuth 2 and access tokens for letting clients authenticate to their API. Instead, AWS expects clients to calculate a signature for each request, and pass the signature in the Authorizationheader. To calculate a signature, clients first create a canonicalized version of the request, including its parameters, headers, and body. Then, they take that request, add some extra bits like the time, and create a message authentication code (MAC) for it b...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
By using workload identity federation, we can let applications use Azure credentials to authenticate to Google Cloud. That’s useful if we have an application that runs on Azure and needs access to Google APIs. But what if we are in the opposite situation, where we have an application on Google Cloud that needs access to Azure APIs? Client secrets One option is to authenticate a service principal by using a client secret: In Azure AD, create an application and generate a client secret. In Go...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
On Google Cloud, we can attach a service account to compute resources such as VM instances to let applications obtain service account credentials. Using these credentials, applications can then access the Google APIs they need. When an application running on Azure needs access to Google APIs, attaching a service account obviously won’t work – but we can use workload identity federation to let the application use its Azure credentials to authenticate to Google APIs. The idea behind Workloa...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Instead of performing machine-wide installations, some applications like IAP Desktop do per-user installations. That means all files are installed to the (roaming) user profile and not to c:\Program Files\. It also means that the installation doesn’t require administrative privileges, which is a big plus in corporate environments. Unfortunately, per-user installations typically don’t work on Windows Server: If we try to run a per-user installation package, Windows Installer will bark at u...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When you attach a service account to a VM instance on Google Cloud, an application running on the VM can obtain an access token for the attached service account by querying the metadata server. It can then use this access token to access Google Cloud resources (assuming the service account has been granted access). Applications can also obtain an ID token for the attached service account. Google Cloud doesn’t really specify what to use this ID Token for, but one common use case is to use it...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
It wasn’t until 2004 that I got broadband internet at home. So I remember the times when downloading a new JDK (which was around 20 MB at the time) over my 56K modem line meant blocking my family’s phone line for 2 hours. Today, bandwidth doesn’t seem like a limiting factor anymore. But that doesn’t mean that download sizes for applications don’t matter – they still do. Today, it’s not uncommon to see even relatively simple tools exceed 100 MB in size. Often, the bloat is caused...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Group policies let you control and tweak thousands of Windows settings. But group policies aren’t limited to Windows or Microsoft applications: we can also use group policies to manage custom applications, either by registering a group policy extension for the app, or (more commonly) by using registry-based policies. The idea of registry-based policies is quite straightforward: An Administrative Template File (ADMX) defines the set of available policies, and which registry key and value eac...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Downloading and installing IAP Desktop only takes a few seconds and doesn’t require any special privileges. That’s deliberate, because the idea is to make it as easy as possible for users to get started. But if multiple users in your organization use IAP Desktop, it can be useful to manage the installation of IAP Desktop centrally, for example by using group policies. Automating the distribution and installation of IAP Desktop has always been possible, but so far, there wasn’t a good wa...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Last time, we looked at how we can use a Cloud KMS asymmetric signing key to create a self-signed X.509 certificate. But we’re not limited to self-signed certificates: we can use Cloud KMS to sign other certificate signing requests too, just like a certificate authority (CA). Trusting the issuer If we want to act like a CA, we first need to establish trust. That is, we have to obtain the certificate authority’s certificate and register it as a trusted authority on other machines. A CA roo...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
After you create an asymmetric signing key in Cloud KMS, you can download the key pair’s public key. The key is provided in PEM format – that’s pretty standard and all you need in many use cases. But especially when dealing with third party services, you sometimes need an X.509 certificate instead of a plain public key. Before concluding that Cloud KMS simply isn’t a fit for use cases that demand a X.509 certificate, let’s remind ourselves what a X.509 certificate really is: A certi...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Service accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Today, I published a new guide on the Google Cloud website, Best practices for managing service account keys, that describes how you can secure service account keys and how to protect against common threats, including: Credential leakage: ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
In an ideal world, all our VM instances are immutable, their management fully automated, and nobody ever has to access a VM by using SSH or RDP. Reality however typically looks a little different and SSH or RDP access is difficult to avoid. When we give users SSH or RDP access to VM instances, there is more than immutability we have to worry about – we also have to ensure that access governance concerns are addressed: How do we grant users access to VMs? How do we ensure access is checked e...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When you create a service account key, Google Cloud doesn’t let you specify an expiry date. The key stays valid until you either delete the key or delete the entire service account. Things look different when you upload a service account key: uploading a service account key works by creating a self-signed X.509 certificate, and then uploading that certificate in PEM format. X.509 certificates have an expiry date, and you can use that to limit the validity of a service account key. Let’s s...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
In the last posts, I talked a bit about using CryptoAPI and CryptoNG (CNG) to manage encryption keys, and how using CNG sometimes requires some extra work. That begs the question: is that extra work justified? If CryptoAPI is easier to use, why not just use that? Obviously, one good reason to prefer CNG is that CryptoAPI is deprecated. Another reason has to do with how CNG and CryptoAPI protect encryption keys: The two APIs have a very different architecture and this difference has a profound...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Last time, we looked at how you can use a CryptoAPI-backed key as a service account key and use it to authenticate. Now let’s see how you can do the same with CNG. The Cryptography API: Next Generation (CNG for short) has been around since Windows Vista and is arguably better than the CryptoAPI, but there is still a lot of code and applications that rely on the CryptoAPI instead of CNG. Part of the reason for that is that .NET Framework was very slow to add support for CNG: It wasn’t unti...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Using service account keys to authenticate a service account is generally discouraged, but sometimes difficult to avoid. The most common way to use service account keys is to create a new key by using the Cloud Console or gcloud, and then to save the key file on the machine where it’s needed. That process sounds simple enough, but in reality it’s often more complex: There might be multiple persons involved: As the user deploying the application, you might lack the permission to create the...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When you create an enterprise app in Azure AD and configure SAML-based single sign-on, the portal shows you the Login URL and Logout URL that your application needs to use. For most applications from the catalog (including the Google Cloud one), it looks like this: If you look closely, you notice that the Login URL and Logout URL are the same – both read https://login.microsoftonline.com/[Tenant-Id]/saml2. This is consistent with the federation metadata: <IDPSSODescriptor protocolSupportEnu...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When working with cloud services, you occasionally encounter two APIs that essentially do the same thing, but require different authentication or permissions. Such cases tend to pique my interest – not only because there might be a security issue lurking, but also because there’s often an interesting story behind these APIs. One case I recently ran into is Azure AD federation metadata. When you create an enterprise app in Azure AD and configure SAML-based single sign-on, the portal shows ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
In the previous post, we reviewed how the Windows Setup works and how it can be customized. works. In this post, we’ll take a look at how Windows Setup is used to build custom Windows base images. Build process The Windows Setup process can be summarized to comprise three basic steps: Boot WinPE from a DVD or over a network. Use WinPE to extract a Windows image (install.wim) to the installation disk. Boot from the disk and specialize the system. For further details, see my previous post. To...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Google Cloud provides public images for a range of Windows Server versions, and using one of these images is typically the fastest way to deploy a Windows VM. There are situations however where it’s necessary to build your own image – for example, if you want to bring your own license. I recently published an article Creating custom Windows BYOL images on the Google Cloud site that describes how you can use daisy to build BYOL-compatible images from scratch. In this two-part blog post, I ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Today, I released version 2.16 of IAP Desktop. This new version brings a couple of new features. Improved Project Explorer When you loaded or refreshed the Project Explorer tool window in previous versions of IAP Desktop, the application displayed a “Loading…” window for several seconds while the data was being loaded. The more projects you added to IAP Desktop, the slower (and more annoying) this behavior could become. In the latest version, I changed the tool window to work entirely a...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When you attach a service account to a virtual machine (VM) in Google Cloud, applications deployed on the VM can access the metadata server to request access tokens or ID Tokens for the attached service account. By default, access to the metadata server is not limited to any specific process or user on the VM: even processes running as a low-privilege user such as nobody on Linux or LocalService on Windows have full access to the metadata server and can obtain tokens for the service account. ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
If you use GitHub releases to host download packages, then you’re probably interested in how often these packages are being downloaded. You’d expect that the GitHub website provided that information under Insights > Traffic, but unfortunately, that’s not the case. Instead, you have to turn to the GitHub API. To get information about download counts, you can query the Releases resource, which is part of the GitHub API. This resource returns a list of all your project’s releases, along ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Service accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Last week, I published two new best practices guides on the Google Cloud website which hopefully help customers avoid common mistakes related to service accounts. The first guide, Best practices for using a...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
After I managed to compile and link libssh2, the easiest way to get started using libssh2 was to look at the examples. Written in plain C, the examples cover some of the most common use cases and compensate for the fact that the rest of the documentation is rather sparse. Managing threads One key topic that unfortunately neither the examples nor the documentation address is thread-safety. The documentation for libssh2_init function states that the function … uses a global state, and is not ...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Considering how popular and widely used SSH is, it is surprising that there are not too many good open source SSH libraries. To add SSH support to IAP Desktop, I was looking for an SSH library that works on Windows, that can be used from .NET, and uses a liberal (non-GPL based) open source license. Given these constraints, the list of suitable libraries quickly narrowed down to SSH.NET and libssh2. SSH.NET is MIT-licensed and quite popular, but the library does not seem to be particularly wel...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
I recently released version 2.13 of IAP Desktop. This release introduces a major new feature, the ability to connect to Linux instances by using SSH. When you select a Linux VM in the Project Explorer tool window and click Connect, IAP Desktop now connects to the VM by using SSH and opens a virtual terminal: Behind the scenes, IAP Desktop: creates an RSA key pair if you do not have one yet, and securely stores it in the Windows CryptoNG key store, publishes the public SSH key to OS Login, pro...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
To make sure Windows runs well on Compute Engine, it’s necessary to apply a few customizations to the operating system. When you create a VM instance by using one of the public images, these customizations are applied by default. If you take the alternative route and import an existing image from a VHD or VMDK file, then the import process takes care of applying the same changes. The customizations fall into two categories: (1) settings and (2) pre-installed drivers and software. The driver...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
By using the Set Windows password button in the Cloud Console or the Generate Windows logon credentials function in IAP Desktop, you can request the Windows guest OS agent to create a local user account for you, or to reset a password of an existing user account. In the last post, we looked at the risks associated with these local administrator accounts and why it might be a good idea to disable the feature for domain-joined VM instances. But what about domain controllers? Local user accounts...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
After you have created a Windows VM on Google Cloud, you can use the Set Windows password button in the Cloud Console or the Generate Windows logon credentials function in IAP Desktop to request login credentials. You can then use these credentials to log on to Windows as a local administrator over RDP or any other channel. The logic to generate credentials is implemented in the Compute Engine agent: when requested to generate credentials for a certain username, the agent first checks if ther...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
13 years ago, I wrote NTrace, a dynamic function boundary tracing toolkit for Windows NT inspired by DTrace. NTrace supported both user-mode and kernel mode tracing and, like DTrace, was able to instrument machine code on the fly. Under the hood, NTrace took advantage of the way Microsoft x86 compilers emit machine code to make the code compatible with Windows Hotpatching. Aware of the particular code layout emitted by compilers, NTrace used runtime code modification to weave in its instrumen...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
If you frequently use Remote Desktop, then you might be used to creating .rdp files for the servers you connect to most often. An .rdp file contains the necessary details to establish a Remote Desktop connection, and also allows you to set preferences affecting the screen resolution, audio settings, shared devices, and other settings. IAP Desktop does not support .rdp files, and that’s for good reason: To create an IAP TCP forwarding tunnel, IAP Desktop needs the project ID, zone, and the i...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When you authenticate a user by using OpenID Connect and request the email scope, most identity providers add two additional claims to the ID Token, email and email_verified. The email claim does not need much explanation – but what about email_verified, what does this claim indicate and how does Google populate it? The email_verified claim is defined as part of the OpenID Connect standard claims set as: True if the End-User's e-mail address has been verified; otherwise false. When this Cla...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Yesterday I released version 2.11 of IAP Desktop. This new version brings a couple of new features. Multi-display support After you’ve connected to the remote desktop of a VM instance, you can switch to full-screen by hitting F11 or selecting Desktop > Full screen. This feature has been around for a while – but it has always been limited to a single display. If your computer has multiple displays, the remote desktop only covers one of them. The new version adds another command to the menu...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When you create a VM instance on Google Cloud, you can optionally specify instance metadata. Instance metadata is a list of key/value pairs and the most common use case for using metadata is passing a startup or shutdown script to a VM. But startup and shutdown scripts are not the only platform features that rely on metadata. Compute Engine also uses metadata as a vehicle to implement a range of feature flags as the following list shows: Metadata keyImplemented byWindowsLinux enable-os-invent...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
One of the less well known features of Google Cloud Shell is that it has PowerShell preinstalled. All it takes to convert your Cloud Shell session into a PowerShell session is to run pwsh: Cloud Shell is based in Linux, so what you see is the .NET Core-based version of PowerShell (née PowerShell Core) as opposed to the .NET Framework-based version that you typically use on Windows. Some PowerShell modules still only target .NET Framework or depend on certain Windows features. These modules w...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
In the last post, we looked at the risks of local port forwarding and how it’s difficult to prevent malicious users from connecting to other user’s TCP tunnels in a multi-user environment. Before version 2.7, the TCP tunnels created by IAP Desktop were as prone to being hijacked by other users as tunnels created by SSH or gcloud compute start-iap-tunnel. But as of version 2.7, attempting to connect to any of IAP Desktop’s tunnels by using mstsc or any other program fails and causes a wa...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
If you are a frequent SSH user, then you’ll be familiar with local port forwarding: Local forwarding is used to forward a port from the client machine to the server machine. Basically, the SSH client listens for connections on a configured port, and when it receives a connection, it tunnels the connection to an SSH server. The server connects to a configurated destination port, possibly on a different machine than the SSH server. Local port forwarding is not only a commonly used SSH feature...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com