Workload Identity Federation: Audience

It is unclear to me how the audience field for Workload Identity Federation when using GCP should be defined.

The Workload identity documentation states: ’ Entity that your Workload Identity Federation provider intends the token for. Enter the audience value from you cloud provider’s Identity Provider service.’

It appears that on the GCP Compute side the audience can be set arbitrarily when generating a token (see: Kurzlebige Anmeldedaten für ein Dienstkonto erstellen  |  IAM-Dokumentation  |  Google Cloud) and is typically set to the url of the service being accessed.

Similarly the pymongo documentation states: ’ you can use the built-in support for GCP, where <audience> below is the audience configured on your MongoDB deployment.’ (see: Authentication Examples - PyMongo 4.7.3 documentation)

I would like to clarify whether, when using GCP MONGO-OIDC, the audience is a value set by the GCP IAM service, set by me, or set by MongoDB (e.g. the cluster URL).

Hi @Robert_Cooper, the audience is the value set by the GCP IAM service. When using Atlas, you use that same value as the audience of the configured Workload Identity Provider.