Identities for workloads

Google Cloud provides the following types of identities for workloads:

  • Workload Identity Federation and Workload Identity Federation for GKE let your workloads access most Google Cloud services by using federated identities that are authenticated through an external identity provider (IdP). After Google Cloud authenticates the identity as a principal, the principal can access resources by using IAM roles that you grant.

    You can use Workload Identity Federation with workloads on Google Cloud or external workloads that run on platforms such as AWS, Azure, GitHub, and GitLab.

    You can use Workload Identity Federation for GKE with workloads running in GKE clusters to give them access to Google Cloud resources.

  • Google Cloud service accounts can act as identities for workloads in production environments. Instead of granting access to a workload directly, you grant access to a service account, then have the workload use the service account as its identity.

  • Managed workload identities (Preview) let you bind strongly attested identities to your Compute Engine workloads. You can use managed workload identities to authenticate your workloads to other workloads using mutual TLS (mTLS), but they cannot be used for authenticating to Google Cloud APIs.

The types of identities that you can use for workloads and the way that you configure them depends on where your workloads are running.

Workloads on Google Cloud

If you're running workloads on Google Cloud, you can use the following methods to configure identities for your workloads:

  • Attached service accounts
  • Workload Identity Federation for GKE (for workloads running on Google Kubernetes Engine only)
  • Managed workload identities (for workloads that run on Compute Engine only)
  • Service account keys

Attached service accounts

For some Google Cloud resources, you can specify a user-managed service account that the resource uses as its default identity. This process is known as attaching the service account to the resource, or associating the service account with the resource.

When code running on the resource accesses Google Cloud services and resources, it uses the service account attached to the resource as its identity. For example, if you attach a service account to a Compute Engine instance, and the applications on the instance use a client library to call Google Cloud APIs, those applications automatically use the attached service account for authentication and authorization.

In most cases, you must attach a service account to a resource when you create that resource. After the resource is created, you cannot change which service account is attached to the resource. Compute Engine instances are an exception to this rule; you can change which service account is attached to an instance as needed.

To learn more, see Attach a service account to a resource.

Workload Identity Federation for GKE

For workloads that run on GKE, Workload Identity Federation for GKE lets you grant IAM roles to distinct, fine-grained sets of principals, for each application in your cluster. Workload Identity Federation for GKE lets Kubernetes service accounts in your GKE cluster access Google Cloud resources directly, by using Workforce Identity Federation, or indirectly, by using IAM service account impersonation.

By using direct resource access, you can grant IAM roles to the Kubernetes service account identity directly on the Google Cloud service's resources. Most Google Cloud APIs support direct resource access. However, when using identity federation, certain API methods might have limitations. For a list of these limitations, see Supported products and limitations.

As an alternative, workloads can also use service account impersonation, where the configured Kubernetes ServiceAccount is bound to an IAM service account, which serves as the identity when accessing Google Cloud APIs.

To learn more about GKE Workload Identity Federation for GKE, see Workload Identity Federation for GKE.

Managed workload identities

Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. You can use managed workload identities to authenticate your workloads to other workloads using mTLS, but they cannot be used for authenticating to Google Cloud APIs.

To learn more about managed workload identity, see Managed workload identities overview.

To learn more about using managed workload identities with Compute Engine workloads, see Authenticate workloads to other workloads over mTLS.

Service account keys

A service account key lets a workload authenticate as a service account, then use the service account's identity for authorization. Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.

External workloads

If you're running workloads outside of Google Cloud, you can use the following methods to configure identities for your workloads:

  • Workload Identity Federation
  • Service account keys

Workload Identity Federation

Workload Identity Federation lets you use credentials from external identity providers like AWS and Azure Active Directory to generate short-lived credentials, which workloads can use to temporarily impersonate service accounts. Workloads can then access Google Cloud resources, using the service account as their identity.

Workload Identity Federation is the preferred way to configure identities for external workloads.

To learn more about Workload Identity Federation, see Workload Identity Federation.

Service account keys

A service account key lets a workload authenticate as a service account, then use the service account's identity for authorization. Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.

Local development

If you're developing in a local environment, you can configure workloads to use your user credentials for authentication and authorization. For more information, see Local development environment in the authentication documentation.

What's next