Escolha um método de autenticação de carga de trabalho
Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Neste documento, descrevemos como autenticar aplicativos ou cargas de trabalho que estão em execução em um ambiente de produção no Compute Engine ou em teste localmente para implantação futura no ambiente de produção. Faça o seguinte:
Autentique suas cargas de trabalho para usar as APIs do Google
Autentique suas cargas de trabalho em outras cargas de trabalho por mTLS
Autentique suas cargas de trabalho para usar as APIs do Google
Use a tabela a seguir para determinar qual método de autenticação usar para suas cargas de trabalho.
Como autorizar apps e cargas de trabalho que precisam de acesso aos recursos do usuário final
Se você está criando ferramentas de desenvolvimento ou administração em que os usuários
concedem acesso aos recursos Google Cloud , consiga acesso
aos recursos para os usuários usando o OAuth 2.0. Para instruções detalhadas,
consulte
Como usar o OAuth 2.0 para aplicativos de servidor da Web.
Na solicitação, especifique um escopo de acesso que limite o acesso apenas a métodos e informações do usuário necessários ao aplicativo.
Para conferir uma lista completa de serviços e escopos necessários em Google Cloud,
consulte
Escopos do OAuth 2.0 para APIs do Google.
Autentique suas cargas de trabalho em outras cargas de trabalho por mTLS
É possível autenticar aplicativos ou cargas de trabalho usando identidades das cargas de trabalho gerenciadas. Esse método de autenticação usa uma conta de serviço, pools de autoridade de certificação (AC) e identidades das cargas de trabalho gerenciadas.
As identidades de cargas de trabalho gerenciadas permitem vincular identidades fortemente atestadas às
cargas de trabalho do Compute Engine. Google Cloud provisiona credenciais X.509
emitidas pelo Certificate Authority Service que podem ser
usadas para autenticar de maneira confiável sua carga de trabalho com outras cargas de trabalho por
TLS mútuo (mTLS).
A carga de trabalho usa a identidade da carga de trabalho gerenciada como identidade
quando é autenticada em outras cargas de trabalho usando TLS mútuo (mTLS)
e usa a conta de serviço como identidade quando acessa outros
Google Cloud serviços e recursos.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-03 UTC."],[[["\u003cp\u003eThis document outlines how to authenticate applications or workloads in production on Compute Engine or during local testing for future deployment.\u003c/p\u003e\n"],["\u003cp\u003eWorkloads running on Google Cloud VMs in production should use the attached service account for authentication to access Google APIs.\u003c/p\u003e\n"],["\u003cp\u003eWorkloads in development can utilize the Google Cloud SDK and Application Default Credentials for authentication, and for access to end-user resources, they can leverage OAuth 2.0.\u003c/p\u003e\n"],["\u003cp\u003eManaged workload identities are available for strongly attesting identities to Compute Engine workloads, using X.509 credentials for mutual TLS (mTLS) authentication between workloads.\u003c/p\u003e\n"],["\u003cp\u003eManaged workload identities can authenticate to other workloads using mTLS, while the service account provides authentication to other Google Cloud services.\u003c/p\u003e\n"]]],[],null,["*** ** * ** ***\n\nThis document describes how you authenticate applications or\nworkloads that are either running in a production environment on\nCompute Engine, or being tested locally for future deployment to the\nproduction environment. You can do the following:\n\n- Authenticate your workloads to use Google APIs\n- Authenticate your workloads to other workloads over mTLS\n\nAuthenticate your workloads to use Google APIs\n\nUse the following table to determine which authentication method to use\nfor your workloads.\n\n| **Task** | **Method** |\n|-----------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Authenticate apps or workloads that are in production | Use the service account that is attached to the VM. \u003cbr /\u003e This is the most common method for authenticating apps and workloads that are running on virtual machine (VM) instances on Google Cloud. For detailed instructions, see [Authenticate workloads to Google Cloud APIs using service accounts](/compute/docs/access/authenticate-workloads). |\n| Authenticate apps or workloads that are in development | Use Google Cloud SDK and Application Default Credentials. For more information, see [Set up ADC for a local development environment](/docs/authentication/set-up-adc-local-dev-environment). |\n| Authorizing apps and workloads that need access to end-user resources | If you are building development or administration tools where users grant you access to their Google Cloud resources, get your application access to user resources by using OAuth 2.0. For detailed instructions, see [Using OAuth 2.0 for Web Server Applications](https://developers.google.com/identity/protocols/oauth2/web-server). \u003cbr /\u003e In your request, specify an access scope that limits your access to only the methods and user information that your application requires. For a full list of services and required scopes across Google Cloud, see [OAuth 2.0 Scopes for Google APIs](https://developers.google.com/identity/protocols/oauth2/scopes). |\n\nAuthenticate your workloads to other workloads over mTLS\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the\n| General Service Terms section of the\n| [Service Specific Terms](/terms/service-terms#1).\n| Pre-GA features are available \"as is\" and might have limited support. For more\n| information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n|\n| For information about access to this release, see the\n| [access request page](https://forms.gle/KC1Lq77gMn3kTtWDA).\n\nYou can authenticate applications or workloads using\n[managed workload identities](/iam/docs/managed-workload-identity). This\nauthentication method uses a service account, certificate authority (CA) pools,\nand managed workload identities.\n\nManaged workload identities let you bind strongly attested identities to\nyour Compute Engine workloads. Google Cloud provisions X.509 credentials\nissued from the [Certificate Authority Service](/certificate-authority-service) that can\nbe used to reliably authenticate your workload with other workloads over\n[mutual TLS (mTLS)](/chrome-enterprise-premium/docs/understand-mtls)\nauthentication.\n\nYour workload uses the managed workload identity as its\nidentity when it authenticates to other workloads using mutual TLS (mTLS),\nand uses the service account as its identity when it accesses other\nGoogle Cloud services and resources.\n\nFor more information, see\n[Authenticate workloads to other workloads over mTLS](/compute/docs/access/authenticate-workloads-over-mtls).\n\nWhat's next\n\n- Learn more about the following concepts:\n - [Authenticate to Compute Engine](/compute/docs/authentication)\n - [Authentication methods at Google](/docs/authentication)\n - [Managed workload identities](/iam/docs/managed-workload-identity)"]]
