Deep Dive into Azure Integration with Google Cloud Platform: Workload Identity Federation (Part-2)

Secure Integration of services between Azure and Google Cloud Platform

This is part-1 of the multi-part series of blogs about secure integration between Microsoft Azure and Google Cloud Platform. For Part-1 of this series visit this post on medium.

In this continuation of our previous blog, we will demonstrate the practical implementation of Workload Identity Federation by setting up a service hosted in Azure to connect to a Cloud SQL database hosted in Google Cloud Platform (GCP), all without the need for service account keys. This real-world example will illustrate the power of Workload Identity Federation in cross-cloud platform scenarios.

Prerequisites:

1. Azure account and subscription.
2. Google Cloud Platform account and project.
3. An Azure Virtual Machine (VM) or App Service that will host your application.
4. A Google Cloud SQL instance with a database.

Step 1: Enable Workload Identity on Google Cloud

Before we can establish the connection, we need to set up Workload Identity in Google Cloud. Here are the steps to enable Workload Identity:

# Use gcloud command-line tool to enable Workload Identity
gcloud projects add-iam-policy-binding your-gcp-project \
  --member="serviceAccount:your-azure-identity@your-gcp-project.iam.gserviceaccount.com" \
  --role="roles/iam.workloadIdentityUser"

Step 2: Configure Your Azure Service

In Azure, you should have a service (e.g., a web application) that needs to connect to the Cloud SQL instance in GCP. Ensure that you’ve assigned the Azure managed identity to this service.

# Assign Azure managed identity to Azure service
az webapp identity assign --name YourWebApp --resource-group YourResourceGroup

Step 3: Configure Your Application

Depending on the programming language and framework you’re using, you’ll need to configure your application to use the Azure managed identity to access the Cloud SQL instance.

For example, if you’re using a Python application, you can use the pyodbc library to connect to Cloud SQL. Here's a sample code snippet:

import pyodbc

# Configure the connection string
server = 'your-gcp-project:your-region:your-cloud-sql-instance'
database = 'your-database'
conn_str = f'DRIVER=MySQL ODBC 8.0 ANSI Driver;SERVER={server};DATABASE={database}'

# Connect using Azure managed identity
cnxn = pyodbc.connect(conn_str, attrs_before='uid=my-azure-identity')

Step 4: Testing the Connection

You can now test your application’s connection to the Cloud SQL instance in GCP. If everything is configured correctly, your Azure-hosted service should be able to access the Cloud SQL database securely without needing service account keys.

Conclusion

Workload Identity Federation allows you to create secure and efficient connections between Azure and GCP, enhancing cross-cloud platform integration. In this blog, we demonstrated how to set up Workload Identity Federation to enable an Azure-hosted service to connect to a Cloud SQL instance hosted in GCP without the need for service account keys.

By implementing this approach, you can leverage the strengths of both Azure and GCP, ensuring a more secure and streamlined cloud infrastructure for your applications. Workload Identity Federation simplifies the management of access and enhances security, making it a valuable tool in the multi-cloud world.