Limiting GCP Workload Identity Access to Specific Azure Sentinel Connectors

[ghanashvi]

I need to ingest GCP audit logs into Azure Sentinel using the GCP Pub/Sub audit log connector, with authentication handled through GCP Workload Identity. I have already set up the configuration, and it is working fine. In this setup, while configuring the provider issuer, one of the allowed audiences must match what is specified in the official Microsoft documentation. I have followed this configuration as required.

However, we now need to restrict authentication with the Workload Identity to only a specific data connector, ensuring that other connectors cannot authenticate. For example, if there are two connectors, only one should be allowed to authenticate, while the other should not.

I have not found a way to restrict the Workload Identity to a specific connector, which poses a security risk, as other GCP connectors could potentially authenticate using the same Workload Identity.

[v-sudkharat]

Hi @ghanashvi, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[ghanashvi]

Hi @v-rusraut and @v-sudkharat, Do you have any updates on the issue I raised?

[v-sudkharat]

Hi @ghanashvi, Sorry for delay in response.
Could you please check with GCP support once for the required roles and authentication for Workload Identity, as the services managed by GCP, so they can assist you or share the doc to configure the settings for Workload Identity to meet your requirement.
Thanks!

[ghanashvi]

Thank you for the response @v-sudkharat. From the GCP side, we are able to authenticate to the data connector. However, on the Azure side, we can create different GCP data connectors, and all of them will be able to authenticate to workload identity.

Regarding documentation, in GCP there is no documentation for workload identity and Azure Sentinel authentication. However, there is documentation for Azure AD and GCP workload identity authentication. But configuring authentication between workload identity and Azure Sentinel data connection, we have to specify issuer and allowed audience, which is mentioned in the Microsoft documentation. We cannot use our account tenant ID and application ID in workload identity and Azure Sentinel data connector authentication, as it will result in an error if we use our own account ID.
For authentication between Azure AD and workload identity, refer to this document:
https://cloud.google.com/iam/docs/workload-identity-federation-with-other-clouds?hl=en#mappings-and-conditions

So, is there any way in Azure to restrict workload identity authentication to a specific GCP data connector or a specific Log Analytics workspace where we are configuring the data connector?

[v-sudkharat]

Hi @ghanashvi, As of now there is not such doc or way we found to meet your request. But we will note it your query if we get any info on your request, we will share with you.
so, Closing this issue from GitHub. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation.