Connections > Google BigQuery V2 connection properties > Prepare for Workload Identity Federation authentication
  

Prepare for Workload Identity Federation authentication

To connect to Google BigQuery using Workload Identity Federation authentication, you need the project number, client ID, secret ID, authorization URL, access token URL, pool ID, provider ID, and access token.
To get the authorization details, create an OAuth application in the Okta identity provider with a principal user and register the Informatica redirect URL. This setup enables clients that support OAuth to redirect users to an authorization page and generate access tokens, and optionally, refresh tokens to access Google BigQuery. If the access token expires, the Informatica redirect URL, which is outside the customer firewall, attempts to connect to the Okta identity provider endpoint and retrieves a new access token.
In the Google Cloud console, you need to create a Workload Identity Federation pool and register Okta as the provider. Then, assign roles to the principal user so that it can directly access the Google Cloud resources.
For more information, see Manage workload identity pools and providers.

Set up an OAuth application in the Okta server

To set up an OAuth application in the Okta server, perform the following steps:
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
  1. 1Log in to the Okta portal as an Okta administrator.
  2. 2From the Admin console, go to Applications.
  3. 3Click Create App Integration.
  4. 4On the Create a new app integration page,
    1. aIn the Sign-in method, select OIDC - OpenID Connect.
    2. bIn the Application type, select Web Application and click Next.
  5. 5On the New Web App Integration page,
    1. aEnter the OAuth application name in the App integration name field.
      2. Example: Informatica Cloud Okta OIDC Web Application
    2. bSelect Authorization Code and Refresh Token in the Grant type field.
    3. cEnter the URIs in the Sign-in redirect URIs and Sign-out redirect URIs fields. You can enter multiple URIs according to your requirements.
      4. Syntax: https://<Server name where Informatica Secure Agent is hosted>/ma/proxy/oauthcallback
    4. dIn the Refresh Token section, select Use persistent token in the Refresh token behavior field.
    5. eIn the USER CONSENT section, select Require consent in the User consent field.
    6. fIn the Assignments section,
      1. aSelect a desired option according to your requirements for the Controlled access field.
      2. bSelect Enable immediate access with Federation Broker Mode in the Enable immediate access field.
    7. gClick Save. The OAuth application is created.
  6. 6Record the values of Client ID and CLIENT SECRET fields. You require these values to configure the Google BigQuery V2 connection.The image shows where you can find the values of the client ID and client secret.

Add an Okta authorization server

To add an Okta authorization server, perform the following steps:
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
  1. 1Log in to the Okta portal as an Okta administrator.
  2. 2Go to Security > API.
  3. 3On the Authorization Servers tab, click Add Authorization Server.
  4. 4On the Add Authorization Server page,
    1. aEnter a name for the authorization server in the Name field.
      2. Example: Informatica Cloud Okta Authorization Server
    2. bEnter the value in the Audience field.
      3. Syntax: gcp-workload-identity-pool://<Workload Identity Pool ID>
      Note: Ensure that you enter the same value in the identity provider field in Google Cloud Console.
    3. cEnter the description in the Description field and click Save.
    4. dRecord the Okta issuer value, which is required for the server configuration.
  5. 5On the Settings tab,
    1. aClick Metadata URI. A JSON response output is generated.
      2. Note: Alternatively, you can copy the value and open in an internet browser window.
    2. bCopy the JSON response output to an advanced text editor application and record the values of the following parameters:
    3. The image shows a sample of the JSON response output.
  6. 6On the Claims tab, verify that an Access type exists with the name sub.
  7. 7On the Access Policies tab, click Add New Access Policy.
  8. 8On the Add Policy page,
    1. aEnter the policy name in the Name field.
      2. Example: Informatica Cloud Access Policy v1
    2. bEnter the policy description in the Description field.
    3. cSelect the The following clients: option in the Assign to field and select the OIDC web application that you created.
      4. Note: You can select multiple client applications.
    4. dClick Create Policy.
  9. 9On the Access Policies tab, click Add Rule in the newly created access policy.
  10. 10On the Add Rule page,
    1. aEnter the rule name in the Rule Name field.
    2. bIn the IF Grant type is field,
      1. aSelect Client Credentials in the Client acting on behalf of itself field.
      2. bSelect Authorization Code in the Core grants field.
      3. cSelect Implicit (hybrid) and Resource Owner Password in the Other grants field.
    3. cIn the AND User is field, select Any user assigned the app.
      4. Note: You can further review the access policy rules and specify restrictions for additional groups or users according to your requirements.
    4. dIn the AND Scopes requested field, select Any scopes.
    5. eVerify the default value set for the AND Access token lifetime is field and adjust the value, if required.
    6. fClick Create rule.
  11. 11On the Token Preview tab, verify the configuration for the Okta authorization server.
    1. aIn the Request Properties section,
      1. aSelect the Okta OIDC web application that you created in the OAuth/OIDC client field.
      2. bSelect Authorization Code in the Grant type field.
      3. cSelect a user in the User field.
        4. Note: Ensure that the selected user is a member of any of the groups associated with the OIDC web application that you created and the access policy rule set for the authorization server.
      4. dEnter openid in the Scopes field.
      5. eClick Preview Token.
    2. bIn the Preview section, go to the token tab.
    3. cIn the Payload section, verify the value of the sub claim or any other claims that you created.
  12. The image shows the Token Preview tab.

Register the identity provider with Workload Identity Pool

To register the identity provider with Workload Identity Pool, perform the following steps:
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
  1. 1In the Google Cloud Console, go to IAM & Admin > Workload Identity Federation.
  2. 2Click Create pool.
  3. 3In the Create an identity pool section,
    1. aEnter the identity pool name in the Name field.
    2. bEnter the identity pool ID in the Pool ID field.
    3. cEnter the identity pool description in the Description field.
    4. dClick Continue.
  4. 4In the Add a provider to pool section, select OpenID Connect (OIDC) in the Select a provider field.
  5. 5In the Configure provider attributes section,
    1. aEnter the identity provider name in the Provider name field.
    2. bEnter the identity provider issuer URL in the Issuer (URL) field.
    3. cEnsure that the JWK file (JSON) field is empty.
    4. dSelect the Allowed audiences option.
    5. eEnter gcp-workload-identity-pool://<identity pool ID> in the Audience 1 field.
    6. fClick Continue.
    7. gVerify that google.subject is auto populated in the Google 1 field.
    8. hEnter assertion.sub in the OIDC 1 field.
    9. iClick Save.
  6. 6Record the values of Pool ID and Provider ID that you created. You require these values to configure the Google BigQuery V2 connection.

Assign required roles to Workload Identity Pool principal user

To assign required roles to the Workload Identity Pool principal user, perform the following steps:
Note: The third-party information included in Informatica documentation is subject to change without prior notice. Check the third-party documentation for the most up-to-date information.
  1. 1In the Google Cloud Console, go to IAM & Admin > IAM > Allow.
  2. 2Click Grand access.
  3. 3On the Grant access to "API Project" page,
    1. aEnter the IAM principal information in the New principals field.
      2. Syntax: principal://iam.googleapis.com/projects/<Project number>/locations/global/workloadIdentityPools/<Pool ID>/subject/<email ID of the registered user>
      You can find the project number in the Google Cloud Console. This value is required to configure the Google BigQuery V2 connection.
    2. bAssign the required roles for the IAM principal user.
      3. Note: You can assign multiple roles for the user. For a beginner user, you can assign the roles such as Bigquery Admin, Storage Admin, and Workload Identity User.
  4. 4Click Save.