Workforce identity federation: supported products and limitations

Overview

This page contains a list of Google Cloud products that support workforce identity federation, as well as a list of known product limitations.

Workforce identity federation provides customers with access to Google Cloud products using their native or other cloud identities.

Google Cloud products and limitations

This section lists products that support workforce identity federation and their associated limitations.

Supported products	Limitations
APIs and Services	UI: Credential management isn't supported. OAuth brand management isn't supported. Discovering APIs via the API Library isn't supported. API: Other:
Artifact Registry	UI: The Container Analysis API doesn't support identity federation so vulnerabilities information is hidden. Container Registry doesn't support identity federation so there is an info banner in the settings page under "Container Registry transition". API: Other:
BigQuery	UI: Workforce identity federation doesn't support browsing public datasets through Marketplace . The corresponding UI option "Explore public datasets" inside the "Add data" menu isn't available. Analytics Hub doesn't support workforce identity federation. The corresponding UIs aren't available: Adding datasets to the project through "Explore Analytics Hub" option inside the "Add data" menu. The Analytics Hub exchange page External data sources doesn't support workforce identity federation. The following UIs aren't available: Add data > External data source In the create table source field, the Amazon S3 and Azure Blob Storage items. Exploring table data with Cloud Data Loss Prevention doesn't support workforce identity federation. Export > Scan with DLP isn't available. Data transfers and Scheduled queries doesn't support workforce identity federation. The following UIs aren't available: The Data transfer management pages Add data > External data sources The Copying dataset UI Creating/updating scheduled queries from the query editor UI Scheduled queries management pages Exporting query results and table data to Drive and Sheets doesn't support workforce identity federation. Creating tables via importing local file or from Drive doesn't support workforce identity federation. Saved Queries doesn't support workforce identity federation. The Save Query button in query editor UI isn't available The Saved query list in the bottom panel isn't available SQL Translation UI doesn't support workforce identity federation. Monitoring UI doesn't support workforce identity federation. Capacity Management doesn't support workforce identity federation. BI Engine UI doesn't support workforce identity federation. API: Only the following BigQuery REST APIs support workforce identity federation: Project APIs: REST Resources: projects.getServiceAccount projects.list Dataset APIs: REST Resources: datasets.delete datasets.get datasets.insert datasets.list datasets.patch datasets.update Table APIs: REST Resources: tables.delete tables.get tables.getIamPolicy tables.insert tables.list tables.patch tables.setIamPolicy tables.testIamPermissions tables.update TableData APIs: REST Resources: tabledata.list Job API: REST Resources: jobs.cancel jobs.delete jobs.get jobs.getQueryResults jobs.insert jobs.list jobs.query Model APIs: REST Resources: models.delete models.get models.list models.patch Routine APIs: REST Resources: routines.delete routines.get routines.insert routines.list routines.update Workforce identity federation supports only BigQuery Storage API, BigQuery Storage Read API and BigQuery Storage Write API. Loading data from local files doesn't support workforce identity federation. Only QUERY, LOAD, EXTRACT job types support workforce identity federation. SQL support is limited to query syntax, data manipulation language (DML), data definition language (DDL) and data control language (DCL) statement types. Workforce identity federation supports transactions, multi-statement queries and sessions. User email field is empty in the jobs.list and jobs.get API response. User email field is empty for the jobs and sessions views in the INFORMATION_SCHEMA for identity federation users. Only built-in BigQuery ML models, which are built and trained within BigQuery, support workforce identity federation. Other:
Cloud Bigtable	UI: The key visualizer isn't available for workforce identity federation. The UI cost calculator isn't available for workforce identity federation. API: Other:
Cloud Billing	UI: When Cloud billing Web UI support is used with identity federation, only the following functionality is supported: View linked projects Verify the billing status of your project Enable, disable, or change billing for a project API: Cloud Billing Budget API doesn't support workforce identity federation. The following Cloud Billing Account APIs don't support workforce identity federation. billingAccounts.create billingAccounts.patch Other: Only invoiced billing accounts are supported.
Cloud Console	UI: See About the console (federated) API: Other:
Data Catalog	UI: In the edit steward dialog on the entry details page, contact suggestions aren't shown for identity federation. API: For identity federation, search and starring support for workforce identity federation, but not workload identity federation. Other:
Cloud Key Management Service	UI: API: Other:
Google Kubernetes Engine	UI: Google Container Registry tab isn't available for workforce identity federation. You must manually input the image path for an existing container image. API: Other:
Cloud Logging	UI: API: Other:
Pub/Sub	UI: API: Pub/Sub Lite API doesn't have endpoints that support workforce identity federation. Other:
Cloud Run	UI: Cloud Run domain mapping is disabled for workforce identity federation. Continuous deployment with Cloud Build is disabled for workforce identity federation. Existing VPC connectors aren't listed for workforce identity federation. You must create them manually. API: The Cloud Run DomainMappings API doesn't support workforce identity federation. The Cloud Run AuthorizedDomains API doesn't support workforce identity federation. Other:
Secret Manager	UI: API: Other:
Cloud HSM	UI: API: Other:
Cloud Spanner	UI: Import and export functionality isn't supported for workforce identity federation users. API: Other:
Cloud SQL	UI: Private connectivity can't be configured when creating or editing a Cloud SQL instance in the UI. Exporting Cloud SQL instance data to a Cloud Storage bucket isn't supported. Importing Cloud SQL instance data from a Cloud Storage bucket isn't supported. API: Exporting Cloud SQL instance data to a Cloud Storage bucket isn't supported. Importing Cloud SQL instance data from a Cloud Storage bucket isn't supported. Other: The Help Assistant isn't supported.
Cloud Storage	UI: Authenticated browser downloads aren't supported. Object data can be downloaded via gsutil, the API, or client libraries. Viewing object details requires uniform bucket-level access to be enabled for the bucket. Editing IAM bindings isn't supported within the Cloud Storage UI. Project bindings can be edited in the IAM UI. Bucket bindings can be edited via gsutil. Process with Cloud Functions isn't supported. Scan with Cloud Data Loss Prevention isn't supported. API: Workforce identity federation with all Cloud Storage APIs is only supported for uniform bucket-level access buckets. Workforce identity federation access to buckets with fine-grained access control lists (ACLs) is rejected. Workforce identity federation with authenticated browser downloads isn't supported. Other: