Workforce identity federation: supported products and limitations

Overview

This page provides details of limitations and the level of support for each Google Cloud product that can use workforce identity federation.

Workforce identity federation lets your workforce—employees, vendors, partners, and other users—access Google Cloud products by using an identity provider (IdP). Your workforce can access Google Cloud through the Google Cloud console, the Google Cloud CLI, or a Google Cloud API.

Google Cloud products and limitations

This section lists products that support workforce identity federation and their associated limitations.

Product Identity federation launch stage Limitations

Access Approval

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Access Context Manager

GA
UI: No known limitations
API:
  • v1alpha APIs aren't available for workforce identity federation users.
  • v1alpha APIs aren't available for workload identity federation workloads.
Other: No known limitations

Access Transparency

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Agent Assist

Unsupported
Alternatives: No alternatives available

AlloyDB for PostgreSQL

GA
UI: The following fleet health features aren't supported while using workforce identity federation:
  • Performance and Backups summary cards
  • Data in the clusters table, such as CPU percentage and Memory Available
API: No known limitations
Other: No known limitations

Anthos Service Mesh

GA
UI: No known limitations
API: In-cluster control plane doesn't support workforce identity federation.
Other: No known limitations

Anti Money Laundering AI

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

API Gateway

Unsupported
Alternatives: No alternatives available

Apigee

Unsupported
Alternatives: No alternatives available

APIs and Services

GA
UI:
API: No known limitations
Other: No known limitations

App Engine

Unsupported
Alternatives: Google recommends that you use Cloud Run as an alternative.

Application Integration

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Artifact Registry

GA
UI: No known limitations
API: No known limitations
Other:
  • Container Registry doesn't support identity federation. There is an information banner in the settings page in Container Registry transition .

Assured Workloads

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

BigQuery

GA
UI: Saving queries isn't supported.
API: The following APIs don't support workforce identity federation with BigQuery:
Other:
  • The following features don't support workforce identity federation with BigQuery:
  • The following operations don't support workforce identity federation:
    • Loading data from Amazon S3, Azure Blob Storage, or Google Drive.

Binary Authorization

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Certificate Authority Service

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Certificate Manager

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Channel Services

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Chronicle

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Asset Inventory

GA
UI: In the IAM policy tab, the Analyze Full Access button is unavailable for workforce identity federation users.
API:

When using the analyzeIamPolicy or the analyzeIamPolicyLongrunning method, workload identity federation users might receive incomplete analysis results because of the following:

  • Workforce identity federation users can't check the membership of Google groups in allow policies. As a result, when workforce identity federation users try to analyze access for a principal, the query results don't include permissions and roles that the principal has due to their membership in a group.
  • When analyzing access, workforce identity federation users can't expand groups to see the individual users inside of each group.

Workforce identity federation users can't use the following API methods:

Other: No known limitations

Bigtable

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Billing

GA
UI:
API:
Other: No known limitations

Cloud Build

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud CDN

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Code

Unsupported
Alternatives: No alternatives available

Cloud Composer

GA
UI: No known limitations
API: No known limitations
Other:
  • Cloud Composer supports workforce identity federation only for environments created in Composer version 2.1.11 or later and Airflow version 2.4.3 or later. Upgrading an environment from an earlier version does not enable workforce identity federation support.
  • Email messages sent from Airflow only include the Airflow UI link that is accessible by Google accounts. To access Airflow UI as a workforce identity federation user, the link must be manually updated (changed to the URL for workforce identity federation users ).
  • Cloud Storage limitations apply to Cloud Composer environment bucket.

Cloud Console

GA
UI: Workforce identity federation users can only access the Google Cloud workforce identity federation console, also known as the console (federated) . They cannot access the Google Cloud console. The console (federated) provides limited access to only those Google Cloud products that support workforce identity federation. For more information, see About the console (federated) . Additionally, the console (federated) has the following limitations:
  • Language preference is selected at sign-on and can't be updated within the console.
  • Product notifications, updates and offers can't be enabled on the communication preferences page.
  • Personalization based on your Google Cloud console activity is unsupported.
  • The Transparency and Control Center page is unavailable.
API: No known limitations
Other: Workforce identity federation users aren't eligible for Google Cloud Free Trial.

Cloud Customer Care

GA
UI:
  • Due to the limitations of Cloud Billing for workforce identity federation , billing related support is accessible only to the organization's administrator through the Google Cloud account used to set up the billing account.
  • Workforce identity federation users can upload—but not download—support case-related files. These files are visible to the Support Engineers who handle your cases.
  • Contact details (e.g. Email Address) cannot be changed for workforce identity federation users once interaction with Support has started.
API: Cloud Support API doesn't support workforce identity federation.
Other: No known limitations

Cloud Data Fusion

GA
UI: Workforce identity federation users can create, update, and delete instances, but they cannot access individual instances.
API: Workforce identity federation users can only manage instances, for example creating, updating, and deleting an instance, but they cannot access individual instances.
Other: No known limitations

Cloud Deploy

GA
UI: Cloud Storage buckets must have uniform bucket-level access enabled to view Cloud Deploy artifacts.
API: No known limitations
Other: Cloud Storage buckets created through Cloud Deploy have uniform bucket-level access enabled.

Cloud Deployment Manager

Unsupported
Alternatives: No alternatives available

Cloud DNS

GA
UI: The Cloud Domains page isn't available.
API: Cloud DNS has a limitation on the number of name server shards. To learn more, see Name server limits . Before allocating the final name server shard, Cloud DNS verifies ownership of the domain, which cannot be performed for workforce identity federation users.
Other: No known limitations

Cloud Domains

Unsupported
Alternatives: No alternatives available

Cloud Endpoints

Unsupported
Alternatives: No alternatives available

Cloud Next Generation Firewall

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Fleet Routing

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Functions

GA
UI:
  • Existing VPC connectors aren't listed for workforce identity federation. You must create them manually.
  • Build worker pools aren't supported for workforce identity federation.
  • Pre-deployment testing isn't supported for workforce identity federation.
API: No known limitations
Other: No known limitations

Cloud Healthcare API

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud HSM

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Intrusion Detection System

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Key Management Service

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Load Balancing

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Logging

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Monitoring

GA
UI:
API: No known limitations
Other: The legacy Cloud Monitoring agent doesn't support sending metrics with identity federation. Instead, workforce identity federation users can install the Ops Agent .

Cloud NAT

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Profiler

Unsupported
Alternatives: No alternatives available

Cloud Run

GA
UI:
API: No known limitations
Other: The IAM permission run.routes.invoke , which manages access to Cloud Run service endpoints, doesn't support workforce identity federation.

Cloud Run for Anthos

GA
UI:
API: No known limitations
Other: When using workforce identity federation, Cloud Run for Anthos requires a cluster with managed Anthos Service Mesh.

Cloud Scheduler

GA
UI:
  • The App Engine Cron Jobs tab isn't available for workforce identity federation users.
  • The App Engine option in the target type configuration isn't available for workforce identity federation users.
API: The Cloud Scheduler API does not support workforce identity federation for jobs that have their target attribute set to appEngineHttpTarget . To send a job to an App Engine target using workforce identity federation, create your job with the target type set to httpTarget and the uri field set to the full URI path of your App Engine target.
Other: No known limitations

Cloud Shell

Unsupported
Alternatives: Google recommends that you use Cloud Workstations as an alternative.

Cloud Source Repositories

Unsupported
Alternatives: No alternatives available

Spanner

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud SQL

GA
UI: No known limitations
API: No known limitations
Other:

Cloud Storage

GA
UI:
  • Viewing object details requires uniform bucket-level access to be enabled for the bucket.
  • Process with Cloud Functions isn't supported.
  • Scan with Cloud Data Loss Prevention isn't supported.
API:
Other: No known limitations

Cloud Tasks

GA
UI: The App Engine routing override option isn't available for workforce identity federation users.
API: The Cloud Tasks API does not support workforce identity federation for tasks that have App Engine targets.
  • App Engine queues: Since App Engine queues (queues created using a queue.yaml or queue.xml file) contain only tasks with App Engine targets, all tasks in these queues are not supported.
  • Regular queues: For regular Cloud Tasks queues, tasks with HTTP targets are supported. Tasks with App Engine targets are not supported (even though the queue is not an App Engine queue).
Other: No known limitations

Cloud Trace

Unsupported
Alternatives: No alternatives available

Cloud Translation

Unsupported
Alternatives: No alternatives available

Cloud Vision API

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Cloud Workstations

GA
UI: Workforce identity federation users who want to launch a Cloud Workstations must either use the Google Cloud console or the Workstations API. To use the Workstation API, see Connect to the workstation in your browser .
Workforce identity federation doesn't support re-authentication by directly accessing an existing Workstation, for example, if you've bookmarked your Workstation in the past. Instead, workforce identity federation users can re-authenticate as described earlier in this section.
API: No known limitations
Other: No known limitations

Compute Engine

GA
UI:
API:
Other: No known limitations

Confidential Space

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Contact Center AI Insights

Unsupported
Alternatives: No alternatives available

Contact Center AI Platform

GA
UI: CCAI Platform cannot be set up by a workforce identity federation user through the CCAI Platform console.
API: No known limitations
Other: To set up CCAI Platform through the gcloud CLI, workforce identify federation users must contact Customer Care.

Context-Aware Access

GA
UI:
  • In Add principals to the Google Cloud console & APIs , the Group ID text field doesn't support autocomplete or provide validation for workforce identity federation users.
  • For workforce identity federation users, Google Groups are identified by their IDs rather than their names.
API: No known limitations
Other: No known limitations

Data Catalog

GA
UI: In the edit steward dialog on the entry details page, contact suggestions aren't shown.
API: No known limitations
Other: No known limitations

Database Migration Service

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Dataflow

GA
UI: No known limitations
API: google.dataflow.v1beta3.SqlValidator.Validate : Dataflow SQL Validator APIs don't support workforce identity federation.
Other: No known limitations

Dataform

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Dataplex

GA
UI:
API: Explore related environments and sessions APIs on Dataplex don't support workforce identity federation.
Other: No known limitations

Dataproc

GA
UI:
  • Workforce identity federation users can perform create, view, update, and delete operations in Cluster, Jobs, and Batches list pages. Workflows, Autoscaling policies, and component exchange aren't available to workforce identity federation users.
  • Cluster create functionality is available, except for Dataproc on GKE cluster creation, Dataproc Compute Engine cluster with personal authentication, or with Component Gateway enabled.
  • The "Output" section in the Batch and Job detail page isn't available for workforce identity federation users.
  • The "Recommend Alert" section in the Cluster and Job list page isn't available for workforce identity federation users.
API:
Other: No known limitations

Dataproc Metastore

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Datastore

GA
UI: Key Visualizer doesn't support workforce identity federation.
API: No known limitations
Other: No known limitations

Datastream

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Document AI

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Duet AI

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Endpoint Verification

Unsupported
Alternatives: No alternatives available

Enterprise Knowledge Graph

Unsupported
Alternatives: No alternatives available

Error Reporting

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Eventarc

GA
UI: Although you can use an existing workflow as an Eventarc trigger destination, workforce identity federation users can't create new workflows.
API: Third-party event publishing using a ChannelConnection resource is not supported with workforce identity federation.
Other: No known limitations

Filestore

GA
UI: Billing information isn't visible on the Instance create , Instance edit , and Restore backup to New instance pages.
API: No known limitations
Other: No known limitations

Firestore

GA
UI:
API: No known limitations
Other: No known limitations

GKE Enterprise

GA
UI:
  • When you log into any external (GKE Enterprise) clusters, the option Use your Google identity isn't available for workforce identity federation.
  • When you create or attach any external (GKE Enterprise) clusters, you won't automatically be added as an administrator for workforce identity federation.
API: No known limitations
Other: gkeadm , gkectl and bmctl don't support workforce identity federation.

Google Cloud Armor

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Google Cloud Marketplace

GA
UI:
  • Cloud Marketplace contains links to Google domains that might not support workforce identity federation.
  • VM deployments don't support workforce identity federation.
  • SaaS sign-up and SSO login do not support workforce identity federation.
  • Producer Portal doesn't support workforce identity federation.
  • Request Procurement does not support workforce identity federation.
  • Service Catalog doesn't support workforce identity federation.
API: Partner API doesn't support workforce identity federation.
Other: Customers don't receive notifications if no email address is provided by Billing Account Admins or Product Owners.

Google Cloud Migration Center

Preview
UI:
API: No known limitations
Other: No known limitations

Google Cloud SDK

GA
UI: No known limitations
API: No known limitations
Other: The Ruby and PHP The Cloud Client Libraries do not support workforce identity federation.

Google Distributed Cloud Virtual for Bare Metal

Unsupported
Alternatives: No alternatives available

Google Earth Engine

Unsupported
Alternatives: No alternatives available

Google Kubernetes Engine

GA
UI: Container Registry tab isn't available for workforce identity federation. Artifact Registry is available.
API: No known limitations
Other: No known limitations

Hybrid Connectivity

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Identity and Access Management

GA
UI:
  • The Name column within the IAM table doesn't show display names for Google identities.
  • When adding new principals to allow policies, the Add principals text field supports only autocompletion for service accounts.
  • The Add exempted principal text field in the Audit Logs page supports only autocompletion for service accounts.
API: No known limitations
Other: No known limitations

Identity-Aware Proxy

Preview
UI:
  • In the Applications tab, the Method column is disabled, users cannot use external identities for authorization.
  • In the Applications tab, App Engine resources cannot be listed.
  • The Go to OAuth configuration item in the action menu isn't available.
  • In the Applications tab, on-premises connectors cannot be added or listed.
API:
  • External identities with workforce identity federation are not supported for IAP-protected web resources, such as Compute Engine, GKE, and App Engine.
  • External identities with workforce identity federation for IAP TCP forwarding resources are supported only in gcloud CLI.
Other: No known limitations

Identity Platform

GA
UI: Enabling Identity Platform through the Google Cloud workforce identity federation console is not supported. Workforce identity federation administrators must enable Identity Platform either through the Firebase Authentication console or by logging into the Google Cloud console using a Cloud Identity or Workspace account before workforce identity federation users can access Identity Platform through the console (federated).
API: InitializeIdentityPlatform doesn't support workforce identity federation.
Other: No known limitations

Immersive Stream for XR

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Integration Connectors

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Key Access Justifications

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Live Stream API

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Looker (Google Cloud core)

Preview
UI: Workforce identity federation users can create, update, and delete instances, but they cannot access individual instances.
API: Workforce identity federation users can only manage instances—for example, creating, updating, and deleting an instance—but they cannot access individual instances.
Other: No known limitations

Looker Studio

Unsupported
Alternatives: No alternatives available

Managed Service for Microsoft Active Directory

GA
UI: No known limitations
API: No known limitations
Other: Workforce identity federation users can't use IAP TCP forwarding to access the Active Directory management VM .

Media CDN

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Memorystore

GA
UI: No known limitations
API: The following APIs support workforce identity federation:
Other: No known limitations

Migrate to Containers

Preview
UI: No known limitations
API: No known limitations
Other: No known limitations

Migrate to Virtual Machines

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Network Connectivity Center

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Network Intelligence Center

GA
UI: Firewall Insights cannot be exported to JSON or CSV.
API: No known limitations
Other: No known limitations

Network Service Tiers

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Organization Policy Service

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Policy Intelligence

GA
UI:

The following Policy Intelligence features have limitations for workforce identity users who use the Google Cloud workforce identity federation console:

  • Policy Troubleshooter : Workforce identity federation users can't troubleshoot access in the console (federated).
  • Policy Analyzer : Workforce identity federation users can't analyze access in the console (federated).
  • Policy Simulator : Workforce identity federation users can't simulate changes to an allow policy within the console (federated).
  • IAM Recommender : Workforce identity federation users can't view recommendations in the console (federated).
API:

The following Policy Intelligence features have API limitations for workforce identity users:

  • Policy Troubleshooter : Workforce identity federation users can't check the membership of Google groups in allow and deny policies, or the membership of Cloud Identity accounts (domains) in deny policies. When workforce identity federation users try to troubleshoot access, role bindings and deny rules that contain groups or domains have an access result of Unknown , unless the role binding or deny rule also explicitly includes the principal.
  • When using the analyzeIamPolicy or the analyzeIamPolicyLongrunning method, workload identity federation users might receive incomplete analysis results because of the following:

    • Workforce identity federation users can't check the membership of Google groups in allow policies. As a result, when workforce identity federation users try to analyze access for a principal, the query results don't include permissions and roles that the principal has due to their membership in a group.
    • When analyzing access, workforce identity federation users can't expand groups to see the individual users inside of each group.

    Workforce identity federation users can't use the following API methods:

  • Policy Simulator : Workforce identity federation users can't use the Policy Simulator API ( policysimulator.googleapis.com ).
  • Activity Analyzer : Workforce identity federation users can't use the Policy Analyzer API ( policyanalyzer.googleapis.com ).
  • IAM Recommender : Workforce identity federation users can't use the Recommender API ( recommender.googleapis.com ).
Other: No known limitations

Private Service Connect

GA
UI: When publishing a service, DNS configuration is not available.
API: No known limitations
Other: No known limitations

Pub/Sub

GA
UI: No known limitations
API: Pub/Sub Lite API doesn't have endpoints that support workforce identity federation.
Other: No known limitations

reCAPTCHA Enterprise

GA
UI:
  • Multi-factor authentication through email cannot be configured by workforce identity federation users. For assistance, contact sales .
  • The demonstration website in Cloud Shell isn't supported for workforce identity federation users.
API: MigrateKey isn't supported for workforce identity federation users.
Other: No known limitations

Recommender

GA
UI: Exporting recommendations to BigQuery isn't supported by workforce identity federation.
API: No known limitations
Other: Recommender can recommend products and features that are not supported by workforce identity federation.

Resource Manager

GA
UI:
  • Workforce identity federation users can only view and operate on the organization for which workforce identity federation was configured. Other organizations to which the users are added are not displayed in the Google Cloud console.
  • Wait times for certain operations to be reflected in the UI are long—for example, creating a project or folder.
API: The Organizations API doesn't support workforce identity federation.
Other: No known limitations

Retail API

GA
UI:
API:
Other: No known limitations

Secret Manager

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Secure Source Manager

Unsupported
Alternatives: No alternatives available

Security Command Center

GA
UI: The following features are unavailable for workforce identity federation users:
  • Exporting findings to a CSV file
  • Exporting findings to Cloud Storage
  • Send feedback button
  • Chronicle export settings cannot be managed in the federated environment, so, in the Continuous Exports page, the Chronicle banner is unavailable.
  • Warning dialog communicating that the enablement state is inherited by default in the Service Enablement page
  • The Security posture service cannot be managed using Google Cloud console.
API: No known limitations
Other: No known limitations

Sensitive Data Protection

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Serverless VPC Access

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Service Directory

Preview
UI: No known limitations
API: No known limitations
Other: No known limitations

Service Infrastructure

Preview
UI: Managing quota in Cloud Endpoints is not supported.
API: Service Management API : Creating a managed service isn't supported for workforce identity federation users. To verify domain ownership and create a managed service, do the following:
  1. Add a service account to domain owners using Site Verification API
  2. Impersonate this service account to create a managed service
Other: No known limitations

Speaker ID

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Speech-to-Text

GA
UI: Only the v2 UI pages support workforce identity federation.
API: Only the v2 API supports workforce identity federation.
Other: No known limitations

Storage Transfer Service

Preview
UI: No known limitations
API: No known limitations
Other: No known limitations

Talent Solution

GA
UI: The Google Cloud workforce identity federation console doesn't support Talent Solution.
API: No known limitations
Other: No known limitations

Text-to-Speech

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Traffic Director

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Transcoder API

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Transfer Appliance

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

Translation Hub

Unsupported
Alternatives: No alternatives available

Vertex AI

GA
UI: When workforce identity federation users create a new model monitoring job, Vertex AI doesn't prefill the alert email input with their email address.
API: Vertex AI doesn't send email messages to workforce identity federation users.
Other:
  • Colab Enterprise doesn't support workforce identity federation.
  • Vertex AI Workbench doesn't support workforce identity federation.

Vertex AI Vision

GA
UI: Video stream playback doesn't work for workforce identity federation users.
API: No known limitations
Other: No known limitations

Video Intelligence API

Preview
UI: No known limitations
API: No known limitations
Other: No known limitations

Video Stitcher API

GA
UI: No known limitations
API: Workforce identity federation is not supported for LiveConfig and Slate resources when Google Ad Manager (GAM) fields are set.
Other: No known limitations

Virtual Private Cloud

GA
UI: No known limitations
API: No known limitations
Other: No known limitations

VPC Service Controls

Preview
UI: Autocomplete suggestions aren't supported when adding user identities in the following fields:
API:
Other: No known limitations

Web Risk

Unsupported
Alternatives: No alternatives available

Workflows

GA
UI: The Grant button, which grants the workforce identity federation user the Service Account User ( roles/iam.serviceAccountUser ) role on the project, is inactive.
API: The Workflows and Workflow Executions APIs support workforce identity federation; however, when invoking other services during a workflow execution, workforce identity federation isn't supported.
Other: No known limitations