Identity reflection

Identity reflection is a special certificate issuance mode that limits an unprivileged certificate requester to requesting certificates with a SAN corresponding to the identity in their credential. For example, an Anthos Service Mesh (ASM) workload with a federated third-party identity token might be able to request a certificate with a SAN corresponding to its Mesh identity, but cannot request a certificate with any other SAN.

Request subject mode for the certificate

To use identity reflection, the subject_mode field on the requested certificate must be set to REFLECTED_SPIFFE.

The workload requesting identity reflection must have the roles/privateca.workloadCertificateRequester permission. For information on setting an IAM role, see Configuring IAM.

What's next