Turbot Guardrails can now bring an entire Google Cloud organization under governance using Workload Identity Federation — a keyless connection in which Guardrails authenticates to GCP with the AWS identity it already runs as. One federated, short-lived handshake connects your whole organization in a single move.
It is the same keyless model Guardrails brings to Azure, and in the Create Connection wizard it is marked Recommended for all deployments — simple to set up, with nothing to manage once it is in place.
No key to store, ever
The reason most cloud connections feel risky is the credential itself. A stored key is a standing liability — it can be copied, it can leak, and it always eventually expires at the worst possible moment. Workload Identity Federation removes that liability entirely by anchoring trust to the AWS identity Guardrails already runs as. Nothing is stored on your side or in Guardrails, so there is simply nothing to protect, rotate, or lose. It sits alongside other supported connection options, and the wizard surfaces it as the recommended choice.
Workload Identity Federation is marked Recommended — no long-lived credential required
Secure by design, and auditable
Keyless does not mean trust-everyone. Guardrails proves its AWS identity to Google's Security Token Service, Google federates that identity to impersonate a service account you control, and it hands back short-lived access tokens that are used and then discarded. Access is limited to the exact AWS role Guardrails runs as — and nothing else qualifies. Every time Guardrails uses that identity to reach your organization, the call is recorded in AWS CloudTrail, giving you a verifiable record of when and how the connection was made.
One script, identical everywhere
The GCP-side setup is a single script the wizard generates for you. The wizard fills in the AWS account details automatically, so the experience is the same whether you run Guardrails as SaaS or self-hosted — there is no separate path to learn and nothing to wire up by hand. The script sets up the federation and grants Guardrails read-only access to the organization, and that is the entire installation — the Create Connection wizard walks you through every step.
A single generated script handles the GCP side — identical for SaaS and self-hosted
Discover the whole organization in one move
Run the script, return to the wizard, and Guardrails discovers your entire organization — every folder and every project — in a single move. No per-project key handoffs, no spreadsheet of accounts to onboard one at a time. The connection that took zero stored credentials to establish now gives you a complete map of the organization, ready to govern.
One keyless round-trip enumerates the whole organization — folders and projects
Control exactly what gets discovered
Discovering the whole organization does not mean taking it all on at once. You choose how deeply Guardrails looks, folder by folder and project by project. Bring an entire branch of the hierarchy under management, scope a single project, or leave parts untouched — the choice is yours, and it cascades sensibly so you set intent at the top and override only where you need to.
Choose how deeply to discover — per folder, per project, across the organization
Keyless connections for your entire stack
Keyless GCP connection with Workload Identity Federation brings the same prevention-first foundation that enterprise teams rely on across AWS, Azure, GitHub, and OCI. Connect an entire organization with zero stored credentials, anchor trust to the exact AWS identity Guardrails runs as, see every connection recorded in AWS CloudTrail, and let a single generated script handle the GCP side. Azure connects the very same keyless way.
The organization, now managed in Guardrails — connected without a single stored credential
Interested in connecting your GCP environment to Guardrails without a stored credential? Connect with us to get your free preventive security posture assessment.