![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 38%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,664 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 89%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHE%3C/text%3E%3C/svg%3E)
Hello @Zorghost
I Understand that you would like to understand the available options for securely authenticating and accessing Azure services from a Google Cloud Platform (GCP) Cloud Function. However, there are two key constraints to consider: assigning private keys to GCP service accounts is not permitted, and creating applications in Azure App Registrations is not allowed.
To authenticate from a Google Cloud Platform (GCP) Cloud Function to Azure services—without using private keys for GCP service accounts or creating applications in Azure App Registrations—you can utilize managed identities and workload identity federation. Managed identities for Azure resources enable authentication with services that support Microsoft Entra ID. For a list of supported Azure services, see services that support managed identities for Azure resources. These identities can be used directly or configured as a federated identity credential within a Microsoft Entra ID application.
The steps involved in using managed identities are as follows:
- Create a managed identity in Azure. You can choose between system-assigned managed identity or user-assigned managed identity. When using a user-assigned managed identity, you assign the managed identity to the source Azure Resource, such as a Virtual Machine, Azure Logic App or an Azure Web App.
- Authorize the managed identity to have access to the target service.
- Use the managed identity to access a resource. In this step, you can use any of the client libraries. Some source resources offer connectors that know how to use Managed identities for the connections. In that case, you use the identity as a feature of that source resource.
Workload Identity Federation enables using a managed identity as a credential, just like certificate or password, on Entra ID Applications. Whenever an Entra ID app is required, this is the recommended way to be credential-free. There's a limit of 20 FICs when using managed identities as FIC on an Entra ID App.
A workload acting in the capacity of Entra ID application can be hosted on any Azure compute which has a managed identity. The workload uses the managed identity to acquire a token to be exchanged for an Entra ID Application token, via workload identity federation. This feature is also referred to as managed identity as FIC (Federated Identity Credentials). For more information, see configure an application to trust a managed identity.
Google Cloud. First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and an identity in Google Cloud. Then configure your software workload running in Google Cloud to get an access token from Microsoft identity provider and access Microsoft Entra protected resources. See Access Microsoft Entra protected resources from an app in Google Cloud.
For Additional information Refer these documents: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview
Do Let us know if you have any Queries. We are happy to assist you further.