Last updated
Last updated
As an admin, you can enable users in your CARTO organization to connect to Google BigQuery using Workload Identity Federation, instead of using Service Account keys or Google OAuth. Once this integration is enabled, the option will be available for all users whenever they try to create a new .
To finish the integration, you will need at least the workloadIdentityPoolAdmin role in Google Cloud, or an equivalent set of permissions. Additionally, you will need to be able to grant BigQuery permissions to the resulting identity pool.
To start the process, navigate to Settings > Advanced Settings > Integrations, where you'll find an integration for Workload Identity Federation. Click on "Add" to begin the process. The integration configuration panel will open. Continue with the steps in this guide.
Copy the Issuer URL and download the JWK JSON provided by CARTO. You will need these two items during the next steps in the Google Cloud console.
Now, open your Google Cloud console and navigate to IAM & Admin > Workload Identity Pools. Click on Create Pool.
In the next step, you will need to define:
Name: a user-facing name that will be used to identify this pool in Google Cloud Platform
Pool ID: the internal ID that will be part of the final IAM identities.
You can also add a description. CARTO does not enforce any rule for the name or the pool ID, so you can define them in whatever way it is more clear for your organization.
Click on Continue, and you will be asked to add a provider to the pool. You will neec to create a new provider, with the following characteristics:
OpenID Connect (OIDC)
Provider name: a user facing name that will be used to identify this provider in your Google Cloud organization. CARTO does not enforce any special rule about the provider name.
Important:
Make sure you're using the Default audience.
Copy the Default audience, you will need it in the next steps.
Click on Continue, and the last step is to configure the provider attribute mapping. In this case, CARTO will be identifying users in this pool via their email, and we will map google.subject to assertion.sub.
Optionally, you could add Attribute Conditions so that only some users are able to use this pool integration, but in most cases you won't need any additional condition.
Click on Save — Your pool is now created and you're ready to grant permissions to identities from this pool.
After you have created the Workload identity Pool for CARTO, you will notice new IAM Principals available from this pool, as well as logs and usage metrics.
The IAM Principal will always look something like: principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/CARTO_USER_EMAIL
You can now go to any resource in Google BigQuery and grant permissions to users in this pool, using their IAM Principal. You can also create and manage Google groups of users coming from CARTO to manage permissions at scale.
To get started with your first connection, grant the minimum required permissions (bigquery.dataEditor and bigquery.user ) to your own CARTO user from the pool, in the GCP billing project you will connect in CARTO.
To give a specific permission or role to all CARTO users, you can use a more global IAM Principal Set such as : principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/*
This is the way your organization will manage permissions from now on, for all users using Workload Identity Federation to connect CARTO and BigQuery, so make sure you are familiar with it.
Now that the Workload Identity Pool exists in Google Cloud, and you know how to manage and grant permissions to identities from this pool, let's finish the integration in CARTO.
Nice! You've successfully integrated CARTO and Google BigQuery via Workload Identity Federation. Now, all users in your organization can use this integration to create BigQuery connections.
Issuer (URL): introduce the Issuer URL field that you .
JWK File (JSON): upload the JWK JSON that you .
Learn more about .
To complete the configuration, paste the Default Audience URL you , confirm that you've , and click on Save.
To validate that your integration is working, you can now create a .
Workload Identity Federation is recommended over using Service Account keys. Google discourages the use of Service Account keys whenever possible, and authenticating your connections via Workload Identitiy Federation can provide the same flexibility.
What is Workload Identity Federation and how does it work?
When you complete the integration, identities coming from CARTO (ie: CARTO users) will be recognized in your Google Cloud account as part of a Workload Identity Pool. You can then assign granular permissions to each of those CARTO users, using IAM rules directly in Google Cloud.
For example, you will be able to grant access to a BigQuery project for a specific set of CARTO users, or grant a specific permission to a specific group inside CARTO.
Learn more about Workload Identity Federation in Google Cloud.
