Identity reflection for federated workloads

You can use Certificate Authority Service with workload identity pools and identity reflection to federate a third-party identity and obtain a certificate that attests to this identity.

Identity reflection is a special certificate issuance mode that limits an unprivileged certificate requester to requesting certificates with a SAN corresponding to the identity in their credential. For example, an Anthos Service Mesh workload with a federated third-party identity token might be able to request a certificate with a SAN corresponding to its Mesh identity, but cannot request a certificate with any other SAN.

What's next