|
GA
|
UI:
|
No known limitations
|
API:
|
-
v1alpha
APIs
aren't available for workforce identity federation users.
-
v1alpha
APIs
aren't available for workload identity federation workloads.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
When you log into any external (Anthos) clusters, the option
Use your Google identity
isn't available for workforce identity federation.
-
When you create or attach any external (Anthos) clusters, you
won't automatically be added as an administrator for workforce identity
federation.
|
API:
|
The following APIs don't support workforce identity federation:
|
Other:
|
gkeadm
,
gkectl
and
bmctl
don't support workforce identity federation.
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
-
Container Registry doesn't support identity federation. There is an information banner in the settings page in
Container Registry transition
.
|
|
|
GA
|
UI:
|
-
Scheduling queries isn't supported.
-
Saving queries isn't supported.
|
API:
|
-
The following APIs don't support workforce identity federation with BigQuery:
-
The
tabledata.insertAll
method doesn't support workforce identity federation.
|
Other:
|
-
The following features don't support workforce identity federation with BigQuery:
-
The following operations don't support workforce identity federation:
-
Loading data from Amazon S3, Azure Blob Storage, or Google Drive.
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
In the
IAM policy
tab, the
Analyze Full Access
button is unavailable for workforce identity federation users.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
The UI cost calculator isn't available for workforce identity federation users.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
|
API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Workforce identity federation users are unable to create host connections to GitHub.com in the Google Cloud console.
Workforce identity federation users must create these connections programmatically.
|
API:
|
In gcloud CLI, HTTP, and Terraform, when a workforce identity
federation user runs the commands to connect to their GitHub.com or GitHub
Enterprise host, the URLs returned will refer to
console.cloud.google.com
. The user must replace the host in the
URL with the https://console.cloud.google/ when navigating to the links.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
-
Cloud Composer supports workforce identity federation only for environments created in
Composer version 2.1.11 or later and Airflow version 2.4.3 or later. Upgrading an environment from
an earlier version does not enable workforce identity federation support.
-
Email messages sent from Airflow only include the Airflow UI link that is accessible by Google accounts.
To access Airflow UI as a workforce identity federation user, the link must be manually updated
(changed to the
URL for workforce identity federation users
).
-
Cloud Storage limitations apply to Cloud Composer environment bucket.
|
|
|
GA
|
|
|
GA
|
UI:
|
-
Due to the
limitations of Cloud Billing for workforce identity federation
, billing related support is accessible only to the organization's administrator through the Google Cloud account used to set up the billing account.
-
Workforce identity federation users can upload—but not download—support case-related files. These files are visible to the Support Engineers who handle your cases.
-
Contact details (e.g. Email Address) cannot be changed for workforce identity federation users once interaction with Support has started.
|
API:
|
Cloud Support API doesn't support workforce identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Workforce identity federation users can create, update, and delete instances,
but they cannot access individual instances.
|
API:
|
Workforce identity federation users can only manage instances, for example
creating, updating, and deleting an instance, but they cannot access
individual instances.
|
Other:
|
No known limitations
|
|
|
GA
|
|
|
GA
|
UI:
|
The Cloud Domains page isn't available.
|
API:
|
Cloud DNS has a limitation on the number of name server shards. To
learn more, see
Name server limits
.
Before allocating the final name server shard, Cloud DNS verifies
ownership of the domain, which cannot be performed for workforce identity federation users.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
Existing
VPC connectors
aren't listed for workforce identity federation. You must create them manually.
-
Build worker pools
aren't supported for workforce identity federation.
-
Pre-deployment testing isn't supported for workforce identity federation.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
|
API:
|
No known limitations
|
Other:
|
The IAM permission
run.routes.invoke
, which manages access to Cloud Run service endpoints, doesn't support workforce identity federation.
|
|
|
GA
|
UI:
|
-
The App Engine Cron Jobs tab isn't available for workforce identity federation users.
-
The App Engine option in the target type configuration isn't available for workforce identity federation users.
|
API:
|
The Cloud Scheduler API does not support workforce identity federation for jobs that have their
target
attribute set to
appEngineHttpTarget
.
To send a job to an App Engine target using workforce identity federation, create your job
with the
target
type set to
httpTarget
and the
uri
field set to the full URI path of your App Engine target.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
|
|
|
GA
|
UI:
|
-
Viewing object details requires
uniform bucket-level access
to be enabled for the bucket.
-
Process with Cloud Functions isn't supported.
-
Scan with Cloud Data Loss Prevention isn't supported.
|
API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
The App Engine routing override option isn't available for workforce identity federation users.
|
API:
|
The Cloud Tasks API does not support workforce identity federation for tasks that have
App Engine targets.
-
App Engine queues:
Since App Engine queues (queues created using a
queue.yaml
or
queue.xml
file) contain only tasks with
App Engine targets, all tasks in these queues are not supported.
-
Regular queues:
For regular Cloud Tasks queues, tasks with HTTP targets
are supported. Tasks with App Engine targets are not supported (even though the queue
is not an App Engine queue).
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Workforce identity federation users who want to launch a Cloud Workstations must either
use the Google Cloud console or the Workstations API. To use the Workstation API, see
Connect to the
workstation in your browser
.
Workforce identity federation doesn't support re-authentication by directly accessing an existing
Workstation, for example, if you've bookmarked your Workstation in the past. Instead, workforce
identity federation users can re-authenticate as described earlier in this section.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
SSH-in-browser
doesn't support workforce identity federation.
-
Batch
isn't supported.
We recommend that you use the gcloud CLI instead of the Google Cloud console.
|
API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
In the edit
steward
dialog on the entry details page, contact suggestions aren't shown.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
google.dataflow.v1beta3.SqlValidator.Validate
: Dataflow SQL Validator APIs don't support workforce identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
Workforce identity federation users can perform create, view, update, and delete operations in Cluster, Jobs, and Batches list pages. Workflows, Autoscaling policies, and component exchange aren't available to workforce identity federation users.
-
Cluster create functionality is available, except for Dataproc on GKE cluster creation, Dataproc Compute Engine cluster with personal authentication, or with Component Gateway enabled.
-
The "Output" section in the Batch and Job detail page isn't available for workforce identity federation users.
-
The "Recommend Alert" section in the Cluster and Job list page isn't available for workforce identity federation users.
|
API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Key Visualizer
doesn't support workforce identity federation.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Although you can use an existing
workflow
as an Eventarc trigger destination, workforce identity federation users can't create new workflows.
|
API:
|
Third-party event publishing
using
a
ChannelConnection
resource is not supported with workforce identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Billing information isn't visible on the
Instance create
,
Instance edit
, and
Restore backup to New instance
pages.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
Cloud Marketplace contains links to Google domains that might not support workforce identity federation.
-
VM deployments don't support workforce identity federation.
-
SaaS sign-up and SSO login do not support workforce identity federation.
-
Producer Portal doesn't support workforce identity federation.
-
Request Procurement
does not support workforce identity federation.
-
Service Catalog doesn't support workforce identity federation.
|
API:
|
Partner API
doesn't support workforce identity federation.
|
Other:
|
Customers don't receive notifications if no email address is provided by Billing Account Admins or Product Owners.
|
|
|
Preview
|
UI:
|
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
The
Ruby
and
PHP
The Cloud Client Libraries do not support workforce identity federation.
|
|
|
GA
|
UI:
|
Container Registry tab isn't available for workforce identity federation. Artifact Registry is available.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
The
Name
column within the IAM table doesn't show display names for Google identities.
-
When adding new principals to allow policies, the
Add principals
text field supports only autocompletion for service accounts.
-
The
Add exempted principal
text field in the
Audit Logs
page supports only autocompletion for service accounts.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Workforce identity federation administrators must enable Identity Platform through the Firebase Authentication console or by logging into the Google Cloud console using a Google Cloud account before workforce identity federation users can access Identity Platform through the Google Cloud workforce identity federation console.
|
API:
|
The following APIs don't support workforce identity federation:
-
google.cloud.identitytoolkit.admin.v2.ProjectConfigService.EnableIdentityPlatform
-
google.cloud.identitytoolkit.admin.v2.ProjectConfigService.InitializeIdentityPlatform
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
|
UI:
|
No known limitations
|
API:
|
The following APIs support workforce identity federation:
|
Other:
|
No known limitations
|
|
|
Preview
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Firewall Insights cannot be exported to JSON or CSV.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
Troubleshooting within the Google Cloud workforce identity federation console, also known as the console (federated), is unsupported.
-
Simulating changes to an allow policy within the console (federated) is unsupported.
-
Analyzing IAM policies within console (federated) is unsupported.
|
API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
When publishing a service, DNS configuration is not available.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
Pub/Sub Lite API
doesn't have endpoints that support workforce identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
-
Workforce identity federation users can only view and operate on the organization for which workforce identity federation was configured. Other organizations to which the users are added are not displayed in the Google Cloud console.
-
Wait times for certain operations to be reflected in the UI are long—for example, creating a project or folder.
|
API:
|
The
Organizations API
doesn't support workforce identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Security Command Center is not supported in the Google Cloud console for workforce identity federation users.
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
Only the v2 UI pages support workforce identity federation.
|
API:
|
Only the v2 API supports workforce identity federation.
|
Other:
|
No known limitations
|
|
|
Preview
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
When workforce identity federation users create a new model monitoring job, Vertex AI doesn't prefill the alert email input with their email address.
|
API:
|
Vertex AI doesn't send email messages to workforce identity federation users.
|
Other:
|
Vertex AI Workbench doesn't support workforce identity federation.
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
Workforce identity federation is not supported for LiveConfig and Slate resources when Google Ad Manager (GAM) fields are set.
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
No known limitations
|
API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
UI:
|
Autocomplete suggestions aren't supported when adding user identities in the following fields:
|
API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
UI:
|
The
Grant
button, which grants the workforce identity federation user the Service Account
User (
roles/iam.serviceAccountUser
) role on the project, is inactive.
|
API:
|
The
Workflows
and
Workflow Executions
APIs
support workforce identity federation; however, when invoking other services during a workflow
execution, workforce identity federation isn't supported.
|
Other:
|
No known limitations
|
|