Managed workload identities let you bind strongly attested identities to your
Compute Engine workloads. Google Cloud provisions X.509 credentials issued
from
Certificate Authority Service
that can be used to
reliably authenticate your workload with other workloads over
mutual TLS (mTLS)
authentication.
To achieve this interoperability, managed workload identities are based on
Secure Production Identity Framework For Everyone
(SPIFFE)
,
which defines a framework and set of standards for identifying and securing
communications between workloads. In SPIFFE, a managed workload identity is
represented using the format
spiffe://
POOL_ID
.global.
PROJECT_NUMBER
.workload.id.goog/ns/
NAMESPACE_ID
/sa/
MANAGED_IDENTITY_ID
.
Although managed workload identities can be used for authentication to other
workloads, they cannot be used for authenticating to Google Cloud APIs.
Resource hierarchy
Managed workload identities are defined within a
workload identity pool
,
which acts as a trust boundary for all identities within the pool. The workload
identity pool forms the trust domain component of the managed workload
identity's SPIFFE identifier. We recommend creating a new pool for each logical
environment in your organization, such as development, staging, or production.
Within a workload identity pool, managed workload identities are organized
into administrative boundaries called
namespaces
. Namespaces help you
organize and grant access to related workload identities.
You must allow your workload to use a managed workload identity using an
attestation policy
before the workload can be issued credentials for the
managed workload identity. Workload attestation policies let you define which
workload can be issued a credential for a managed workload identity based on the
workload's verifiable attributes, such as project ID or resource name. A
workload attestation policy ensures that only trusted workloads can use the
managed identity.
You can authorize a workload to use a managed workload identity based on the
service account that is
attached
to the
workload.
What's next
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our
products perform in real-world scenarios. New customers also get $300 in
free credits to run, test, and deploy workloads.
Get started for free