Workforce identity federation: supported products and limitations

Overview

This page contains a list of Google Cloud products that support workforce identity federation, as well as a list of known product limitations.

Workforce identity federation provides customers with access to Google Cloud products using their native or other cloud identities.

Google Cloud products and limitations

This section lists products that support workforce identity federation and their associated limitations.

Supported products Identity federation launch stage Limitations

APIs and Services

UI:	Credential management isn't supported. OAuth brand management isn't supported.
API:	No known limitations
Other:	No known limitations

Artifact Registry

UI:	The Container Analysis API doesn't support identity federation, so vulnerabilities information is hidden.
API:	No known limitations
Other:	Container Registry doesn't support identity federation. There is an information banner in the settings page in Container Registry transition .

BigQuery

UI:	Scheduling queries isn't supported. Saving queries isn't supported.
API:	The following APIs don't support workforce identity federation with BigQuery: Analytics Hub BigQuery BI Engine BigQuery Data Transfer Service BigQuery Connection API BigQuery Migration Service The `tabledata.insertAll` method doesn't support workforce identity federation.
Other:	The following features don't support workforce identity federation with BigQuery: Connected Sheets Google Drive The following operations don't support workforce identity federation: DDL access to the BigQuery Reservation API. Loading data from Amazon S3, Azure Blob Storage, Google Drive, or local files. The following BigQuery ML models don't support workforce identity federation: AutoML Tables TensorFlow

Cloud Bigtable

UI:	The key visualizer isn't available for workforce identity federation. The UI cost calculator isn't available for workforce identity federation.
API:	No known limitations
Other:	No known limitations

Cloud Billing

UI:	When Cloud billing Web UI support is used with identity federation, only the following functionality is supported: View linked projects Verify the billing status of your project Enable, disable, or change billing for a project
API:	Cloud Billing Budget API doesn't support workforce identity federation. The following Cloud Billing Account APIs don't support workforce identity federation. billingAccounts.create billingAccounts.patch
Other:	Only invoiced billing accounts are supported.

Cloud Console

UI:	See About the console (federated) Language preference is selected at sign-on and can't be updated within the console. Product notifications, updates and offers can't be enabled on the communication preferences page. Personalization based on your Cloud console activity is unsupported. The Recommendation Hub page is unavailable. The Transparency and Control Center page is unavailable.
API:	No known limitations
Other:	Workforce identity federation users aren't eligible for Google Cloud Free Trial.

Compute Engine

Preview

UI:	SSH-in-browser doesn't support workforce identity federation.
API:	Compute Engine APIs are available in public preview for workforce identity federation users. Configuring Public DNS PTR Record on VM Instances isn't supported, so this feature is disabled. For domains that have not been validated, do the following: Create a new Google Account Verify domain ownership using this new Google Account For domains that have been validated, including after the previous step, do the following: Add a service account or Google users to the domain owners (If using a service account) Impersonate this service account to create a VM with gcloud CLI Exporting images isn't supported. To export images, we recommend that you use a service account with gcloud CLI . Creating an image or disk from a storage object isn't supported. To create an image or disk from a storage object we recommend that you use a service account with gcloud CLI . `instances.getLicenses` isn't supported. To use the `instances.getLicenses` method, we recommend that you use service account credentials .
Other:	No known limitations

Data Catalog

UI:	In the edit steward dialog on the entry details page, contact suggestions aren't shown.
API:	Search and starring is supported.
Other:	No known limitations

Dataflow

UI:	`datapipelines.googleapis.com` : The Dataflow Data Pipelines page doesn't support workforce identity federation.
API:	`google.dataflow.v1beta3.SqlValidator.Validate` : Dataflow SQL Validator APIs don't support workforce identity federation.
Other:	No known limitations

Dataproc

UI:	Workforce identity federation users can perform create, view, update, and delete operations in Cluster, Jobs, and Batches list pages. Workflows, Autoscaling policies, and component exchange aren't available to workforce identity federation users. Cluster create functionality is available, except for Dataproc on GKE cluster creation, Dataproc Compute Engine cluster with personal authentication, or with Component Gateway enabled. The "Output" section in the Batch and Job detail page isn't available for workforce identity federation users. The "Recommend Alert" section in the Cluster and Job list page isn't available for workforce identity federation users.
API:	Dataproc Component Gateway doesn't support workforce identity federation. Dataproc on GKE doesn't support workforce identity federation. Dataproc Personal Authentication doesn't support workforce identity federation. Dataproc Service Account Based Secure Multi-tenancy doesn't work with workforce identity federation.
Other:	No known limitations

Cloud DNS

Preview

UI:	The Cloud Domains page isn't available.
API:	No known limitations
Other:	No known limitations

Filestore

UI:	Billing information isn't visible on the Instance create , Instance edit , and Restore backup to New instance pages.
API:	No known limitations
Other:	No known limitations

Identity and Access Management

UI:	The name column within the IAM table doesn't show display names for Google identities. When adding new principals to allow policies, the Add principals text field supports only autocompletion for service accounts. The Add exempted principal text field in the Audit Logs page supports only autocompletion for service accounts.
API:	No known limitations
Other:	No known limitations

Cloud Key Management Service

UI:	No known limitations
API:	No known limitations
Other:	No known limitations

Google Kubernetes Engine

UI:	Google Container Registry tab isn't available for workforce identity federation. You must manually input the image path for an existing container image.
API:	No known limitations
Other:	No known limitations

Cloud Logging

UI:	No known limitations
API:	No known limitations
Other:	No known limitations

Memorystore for Redis

UI:	The Cost estimate UI is unavailable.
API:	No known limitations
Other:	No known limitations

Cloud Monitoring

UI:	No known limitations
API:	No known limitations
Other:	The legacy Cloud Monitoring agent doesn't support sending metrics with identity federation. Instead, workforce identity federation users can install the Ops Agent .

Pub/Sub

UI:	No known limitations
API:	Pub/Sub Lite API doesn't have endpoints that support workforce identity federation.
Other:	No known limitations

Cloud Resource Manager

UI:	Workforce identity federation users can only view and operate on the organization for which workforce identity federation was configured. Other organizations to which the users are added are not displayed in the Google Cloud console. Wait times for certain operations to be reflected in the UI are long—for example, creating a project or folder.
API:	Tags aren't supported for workforce identity federation users.
Other:	No known limitations

Cloud Run

UI:	Continuous deployment with Cloud Build is disabled for workforce identity federation. Existing VPC connectors aren't listed for workforce identity federation. You must create them manually.
API:	No known limitations
Other:	The IAM permission `run.routes.invoke` , which manages access to Cloud Run service endpoints, doesn't support workforce identity federation.

Secret Manager

UI:	No known limitations
API:	No known limitations
Other:	No known limitations

Cloud HSM

UI:	No known limitations
API:	No known limitations
Other:	No known limitations

Cloud Spanner

UI:	No known limitations
API:	No known limitations
Other:	No known limitations

Speaker ID

UI:	No known limitations
API:	No known limitations
Other:	No known limitations

Cloud SQL

UI:	No known limitations
API:	No known limitations
Other:	The Help Assistant isn't supported.

Cloud Storage

Preview

UI:	Authenticated browser downloads aren't supported. Object data can be downloaded via gsutil, the API, or client libraries. Viewing object details requires uniform bucket-level access to be enabled for the bucket. Process with Cloud Functions isn't supported. Scan with Cloud Data Loss Prevention isn't supported.
API:	Workforce identity federation with all Cloud Storage APIs is supported only for uniform bucket-level access buckets. Workforce identity federation access to buckets with fine-grained access control lists (ACLs) is rejected. Workforce identity federation with authenticated browser downloads isn't supported. Although anyone can use existing signed URLs , workforce identity federation users cannot generate signed URLs. Workforce identity federation users cannot use object change notification .
Other:	No known limitations

Cloud Customer Care

UI:	Due to the limitations of Cloud Billing for workforce identity federation , billing related Support is accessible only to the organization’s administrator through the Google Cloud account used to set up the billing account. Workforce identity federation users can upload—but not download—Support Case-related files. These files are visible to the Support Engineers who handle your cases. Contact details (e.g. Email Address) cannot be changed for workforce identity federation users once interaction with Support has started.
API:	Cloud Support API doesn't support workforce identity federation.
Other:	No known limitations

Cloud Vision API

UI:	No known limitations
API:	No known limitations
Other:	No known limitations