Identity reflection is a special certificate issuance mode that limits an unprivileged certificate requester to requesting certificates with a SAN corresponding to the identity in their credential. For example, an Anthos Service Mesh (ASM) workload with a federated third-party identity token might be able to request a certificate with a SAN corresponding to its Mesh identity, but cannot request a certificate with any other SAN.
Request subject mode for the certificate
To use identity reflection, the subject_mode field on the requested certificate must be set to
The workload requesting identity reflection must have the
roles/privateca.workloadCertificateRequester permission. For information on setting an IAM role, see Configuring IAM.
- Learn more about SPIFFE.