GCP Instance Identity Token
The GCP Instance Identity Token method attests workloads running on Google Cloud. The workload queries the instance metadata service for its signed identity token; the Trust Domain Server verifies the token's authenticity using GCP's public signing keys.
Attributes available for SVID issuance
Depending on the resource type, different attributes are available. All have the origin gcp_iit.
By default, attestors require Google Compute claims to be present, which can be turned off by setting allowNonComputeTokens to false.
| Attribute | Description | Requires useInstanceMetadata | Restrictions |
|---|---|---|---|
gcp_iit.project_id | GCP project ID | No | - |
gcp_iit.service_account.email | GCP Service Account Email | No | - |
gcp_iit.service_account.id | GCP Service Account ID | No | Only available when a custom service account is set |
gcp_iit.instance_id | Unique instance ID | No | Only available on compute |
gcp_iit.instance_name | Instance name | No | Only available on compute |
gcp_iit.project_number | GCP project number | No | Only available on compute |
gcp_iit.zone | Zone where the instance is located | No | Only available on compute |
gcp_iit.instance_creation_timestamp | Unix timestamp of instance creation | No | Only available on compute |
gcp_iit.label.<key> | Instance label values, where <key> is in attributeLabelKeys | Yes | Only available on compute |
gcp_iit.metadata.<key> | Instance metadata values, where <key> is in attributeMetadataKeys | Yes | Only available on compute |
Example SPIFFE ID template:
/gcp/{{gcp_iit.project_id}}/{{gcp_iit.service_account.id}}
How to Deploy
section: ServerlessAttestation
schema: v1
spec:
policies:
- name: gcp_policy
svidPolicy:
pathTemplate: "/gcp/{{gcp_iit.project_id}}/{{gcp_iit.service_account.id}}"
requiredAttestors:
- type: gcp_iit
config:
allowedProjectIDs:
- my-project-id
allowNonComputeTokens: true
Apply it using spirlctl:
spirlctl config set trust-domain --id <trust-domain-id> serverless.yaml
Or using Terraform:
resource "spirl_trust_domain_config" "serverless_attestation" {
trust_domain_id = spirl_trust_domain.my_trust_domain.id
sections = {
ServerlessAttestation = <<-YAML
section: ServerlessAttestation
schema: v1
spec:
policies:
- name: gcp_policy
svidPolicy:
pathTemplate: "/gcp/{{gcp_iit.project_id}}/{{gcp_iit.service_account.id}}"
requiredAttestors:
- type: gcp_iit
config:
allowedProjectIDs:
- my-project-id
allowNonComputeTokens: true
YAML
}
}
Once a configuration document is validated and stored, the Defakto control plane syncs it to your Trust Domain Servers automatically. No restart is required.
Server Configuration Reference
| Field | Required | Default | Description |
|---|---|---|---|
allowedProjectIDs | Yes | — | List of GCP project IDs whose instances are allowed to attest. |
useInstanceMetadata | No | false | Enable fetching VM labels and metadata via the Compute Engine API. Required for attributeLabelKeys and attributeMetadataKeys. |
serviceAccountKeyJson | No | ADC | GCP service account credentials JSON. Used only when useInstanceMetadata is enabled. When omitted, Application Default Credentials are used. |
attributeLabelKeys | No | — | Instance label keys to emit as attributes. Requires useInstanceMetadata: true. |
attributeMetadataKeys | No | — | Instance metadata keys to emit as attributes. Requires useInstanceMetadata: true. |
maxMetadataValueSize | No | 128 | Maximum size (bytes) for label and metadata attribute values. Values exceeding this limit are truncated. |
allowNonComputeTokens | No | false | Allows tokens issued to non-compute resources such as Cloud Run |
Security Considerations
- The Trust Domain Server verifies the identity token's signature using GCP's public signing keys fetched from
googleapis.com. Network access to this endpoint is required. - Labels and metadata values are fetched from the GCP Compute Engine API using unattested IMDS data as a hint and then validated. Restrict which label and metadata keys are emitted using
attributeLabelKeysandattributeMetadataKeys. maxMetadataValueSizeprevents abnormally large metadata values from being included in attributes. The default of 128 bytes is sufficient for most environment tags and labels.