Description
openedon Oct 10, 2024
I need to ingest GCP audit logs into Azure Sentinel using the GCP Pub/Sub audit log connector, with authentication handled through GCP Workload Identity. I have already set up the configuration, and it is working fine. In this setup, while configuring the provider issuer, one of the allowed audiences must match what is specified in the official Microsoft documentation. I have followed this configuration as required.
However, we now need to restrict authentication with the Workload Identity to only a specific data connector, ensuring that other connectors cannot authenticate. For example, if there are two connectors, only one should be allowed to authenticate, while the other should not.
I have not found a way to restrict the Workload Identity to a specific connector, which poses a security risk, as other GCP connectors could potentially authenticate using the same Workload Identity.