|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
v1alpha
APIs
aren't available for federated identities.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
|
|
GA
|
Console (federated):
|
The following fleet health features aren't supported while using Workforce Identity Federation:
-
Performance and Backups summary cards
-
Data in the clusters table, such as CPU percentage and Memory Available
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
-
The Classic Apigee UI isn't supported for Workforce Identity Federation users. Buttons to
switch to the Classic Apigee UI aren't available. The following features that can only be
accessed using the Classic Apigee UI aren't supported for Workforce Identity Federation users:
-
Apigee API Monetization
-
Developer analysis
-
End User analysis
-
Integrated portals
-
Features in
Preview
aren't supported for
Workforce Identity Federation users. This includes the following features:
-
Abuse detection
-
API hub
-
Gemini Code Assist with Apigee
-
Looker Studio integration
-
Risk assessment
-
Security actions
-
Shadow API discovery
-
Local development with Apigee in Cloud Code
isn't supported for Workforce Identity Federation users.
|
Google Cloud API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
Google recommends that you use Cloud Run as an alternative.
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
-
Container Registry doesn't support identity federation. There is an information banner in the settings page in
Container Registry transition
.
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Saving queries isn't supported.
|
Google Cloud API:
|
BigQuery Migration Service
doesn't support identity federation.
|
Other:
|
-
The following features don't support Workforce Identity Federation with BigQuery:
-
The following operations don't support Workforce Identity Federation:
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
In the
IAM policy
tab, the
Analyze Full Access
button is unavailable for Workforce Identity Federation users.
|
Google Cloud API:
|
When using the
analyzeIamPolicy
or the
analyzeIamPolicyLongrunning
method, federated identities might receive incomplete analysis results because of the following:
-
Federated identities can't check the membership of Google groups in
allow policies. As a result, when federated identities analyze
access for a principal, the query results don't include permissions and
roles that the principal has due to their membership in a group.
-
When analyzing access, federated identities can't enable the
expand_groups
option.
analyzeMove
isn't supported by
identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
-
Cloud Composer supports Workforce Identity Federation only for environments created in
Composer version 2.1.11 or later and Airflow version 2.4.3 or later. Upgrading an environment from
an earlier version does not enable Workforce Identity Federation support.
-
Email messages sent from Airflow only include the Airflow UI link that is accessible by Google accounts.
To access Airflow UI as a Workforce Identity Federation user, the link must be manually updated
(changed to the
URL for Workforce Identity Federation
).
-
Cloud Storage limitations apply to Cloud Composer environment bucket.
|
|
|
GA
|
Console (federated):
|
Workforce Identity Federation users can only access the
Google Cloud Workforce Identity Federation console, also known as the console (federated)
.
They cannot access the Google Cloud console. The console (federated)
provides limited access to only those Google Cloud products that support
Workforce Identity Federation. For more information, see
About the console (federated)
.
Additionally, the console (federated) has the following limitations:
-
Language preference is selected at sign-on and can't be updated within the console.
-
Product notifications, updates and offers can't be enabled on the
communication preferences
page.
-
Personalization based on your Google Cloud console activity is unsupported.
-
The
Transparency and Control Center
page is unavailable.
|
Google Cloud API:
|
No known limitations
|
Other:
|
Workforce Identity Federation users aren't eligible for Google Cloud Free Trial.
|
|
|
GA
|
Console (federated):
|
-
Due to the
limitations of Cloud Billing for Workforce Identity Federation
, billing related support is accessible only to the organization's administrator through the Google Cloud account used to set up the billing account.
-
Workforce Identity Federation users can upload—but not download—support case-related files. These files are visible to the Support Engineers who handle your cases.
-
Contact details (e.g. Email Address) cannot be changed for Workforce Identity Federation users once interaction with Support has started.
|
Google Cloud API:
|
Cloud Support API doesn't support identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
The Cloud Domains page isn't available.
|
Google Cloud API:
|
Cloud DNS has a limitation on the number of name server shards. To
learn more, see
Name server limits
.
Before allocating the final name server shard, Cloud DNS verifies
ownership of the domain, which cannot be performed by federated identities.
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
No known limitations
|
Other:
|
The legacy Cloud Monitoring agent
doesn't support sending metrics with identity federation. Instead, Workforce Identity Federation users can install the
Ops Agent
.
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
No known limitations
|
Other:
|
The IAM permission
run.routes.invoke
, which manages access to Cloud Run service endpoints, doesn't support Workforce Identity Federation.
|
|
|
GA
|
Console (federated):
|
-
Existing
VPC connectors
aren't listed for Workforce Identity Federation. You must create them manually.
-
Build worker pools
aren't supported for Workforce Identity Federation.
-
Pre-deployment testing isn't supported for Workforce Identity Federation.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
-
The App Engine Cron Jobs tab isn't available for Workforce Identity Federation users.
-
The App Engine option in the target type configuration isn't available for Workforce Identity Federation users.
|
Google Cloud API:
|
The Cloud Scheduler API doesn't support identity federation for
jobs that have their
target
attribute set to
appEngineHttpTarget
.
To send a job to an App Engine target using identity federation,
create your job with the
target
type set to
httpTarget
and the
uri
field set to the full URI path of your App Engine target.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
In-cluster control plane
doesn't support identity federation.
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
Google recommends that you use Cloud Workstations as an alternative.
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
|
|
|
GA
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
The App Engine routing override option isn't available for Workforce Identity Federation users.
|
Google Cloud API:
|
The Cloud Tasks API doesn't support identity federation
for tasks that have App Engine targets—for example:
-
App Engine queues:
Since App Engine queues (queues
that are created using a
queue.yaml
or
queue.xml
file) contain only tasks with App Engine
targets, tasks in these queues aren't supported.
-
Regular queues:
For regular Cloud Tasks queues,
tasks with HTTP targets are supported. Tasks with App Engine
targets aren't supported (even though the queue isn't an
App Engine queue).
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Workforce Identity Federation users who want to launch a Cloud Workstations must either
use the Google Cloud console or the Workstations API. To use the Workstation API, see
Connect to the
workstation in your browser
.
Workforce Identity Federation doesn't support re-authentication by directly accessing an existing
Workstation, for example, if you've bookmarked your Workstation in the past. Instead, Workforce Identity Federation users can re-authenticate as described earlier in this section.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
-
In
Add principals to the Google Cloud console & APIs
, the
Group ID
text field doesn't support autocomplete or provide validation for Workforce Identity Federation users.
-
For Workforce Identity Federation users, Google Groups are identified by their IDs rather than their names.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
In the edit
steward
dialog on the entry details page, contact suggestions aren't shown.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
google.dataflow.v1beta3.SqlValidator.Validate
: Dataflow SQL Validator APIs don't support identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
Exploration of related
environments
and
sessions
APIs on Dataplex aren't
supported by identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
-
Workforce Identity Federation users can perform create, view, update, and delete operations in Cluster, Jobs, and Batches list pages. Workflows, Autoscaling policies, and component exchange aren't available to Workforce Identity Federation.
-
Cluster create functionality is available, except for Dataproc on GKE cluster creation, Dataproc Compute Engine cluster with personal authentication, or with Component Gateway enabled.
-
The
Output
section in the Batch and Job detail page isn't available for Workforce Identity Federation users.
-
The
Recommend Alert
section in the Cluster and Job list page isn't available for Workforce Identity Federation users.
|
Google Cloud API:
|
The following methods don't support identity federation:
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Key Visualizer
doesn't support Workforce Identity Federation.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Dialogflow ES is not supported in the Google Cloud console for Workforce Identity Federation users.
|
Google Cloud API:
|
Workforce Identity Federation is supported only on Dialogflow CX APIs.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Although you can use an existing
workflow
as an Eventarc trigger destination, Workforce Identity Federation users can't create new workflows.
|
Google Cloud API:
|
Third-party
event publishing
using a
ChannelConnection
resource isn't supported for identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Billing information isn't visible on the
Instance create
,
Instance edit
, and
Restore backup to New instance
pages.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
Gemini for Google Cloud
license management
doesn't support Workforce Identity Federation.
|
|
|
GA
|
Console (federated):
|
-
When you log into any external (GKE Enterprise) clusters, the option
Use your Google identity
isn't available for Workforce Identity Federation.
-
When you create or attach any external (GKE Enterprise) clusters, you
won't automatically be added as an administrator for Workforce Identity Federation.
|
Google Cloud API:
|
No known limitations
|
Other:
|
gkeadm
,
gkectl
and
bmctl
don't support Workforce Identity Federation.
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Google Cloud CCaaS cannot be set up by a Workforce Identity Federation user through the Google Cloud CCaaS console.
|
Google Cloud API:
|
No known limitations
|
Other:
|
To set up Google Cloud CCaaS through the gcloud CLI,
Workforce Identity Federation
users must contact Customer Care.
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
Authentication to open source Apache Kafka APIs through the
OAuthBearer mechanism
is not supported for clients using Workload Identity Federation for GKE. As an alternative,
link Kubernetes ServiceAccounts to IAM
.
|
|
|
GA
|
Console (federated):
|
-
Cloud Marketplace contains links to Google domains that might not support Workforce Identity Federation.
-
The
Launch
button is disabled for all VM products that use Deployment Manager
because Deployment Manager doesn't support Workforce Identity Federation.
-
SaaS sign-up and SSO login don't support Workforce Identity Federation.
-
Producer Portal doesn't support Workforce Identity Federation.
-
Request Procurement
doesn't support Workforce Identity Federation.
-
Service Catalog doesn't support Workforce Identity Federation.
|
Google Cloud API:
|
Partner API
doesn't support Workforce Identity Federation.
|
Other:
|
Customers don't receive notifications if no email address is provided by Billing Account Admins or Product Owners.
|
|
|
Preview
|
Console (federated):
|
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
The
Ruby
and
PHP
The Cloud Client Libraries do not support Workforce Identity Federation.
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
Container Registry tab isn't available for Workforce Identity Federation. Artifact Registry is available.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
-
The
Name
column within the IAM table doesn't show display names for Google identities.
-
When adding new principals to allow policies, the
Add principals
text field supports only autocompletion for service accounts.
-
The
Add exempted principal
text field in the
Audit Logs
page supports only autocompletion for service accounts.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
-
In the Applications tab, the
Method
column is disabled, and users cannot use external identities for authorization.
-
In the Applications tab, App Engine resources cannot be listed.
-
The
Go to OAuth configuration
item in the
more_vert
action menu isn't available.
-
In the
Applications
tab, on-premises connectors cannot be added or listed.
|
Google Cloud API:
|
Federated identities for IAP TCP forwarding resources are supported only in the gcloud CLI.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Enabling Identity Platform through the Google Cloud Workforce Identity Federation console is not supported. Workforce Identity Federation administrators must enable Identity Platform either through the Firebase Authentication console or by logging into the Google Cloud console using a Cloud Identity or Workspace account before Workforce Identity Federation users can access Identity Platform through the console (federated).
|
Google Cloud API:
|
InitializeIdentityPlatform
doesn't support identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
No known limitations
|
Other:
|
When using Workforce Identity Federation, Knative serving requires a cluster with managed Cloud Service Mesh.
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
Workforce Identity Federation users can create, update, and delete instances,
but they cannot access individual instances.
|
Google Cloud API:
|
Identity federation users can only manage instances—for example,
creating, updating, and deleting an instance—but they cannot access
individual instances.
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
The following APIs support identity federation:
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Firewall Insights cannot be exported to JSON or CSV.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
The following Policy Intelligence features have limitations for Workforce Identity Federation users who use the Google Cloud Workforce Identity Federation console:
-
Policy Troubleshooter
:
Workforce Identity Federation users can't troubleshoot access in the console (federated).
-
Policy Analyzer
:
Workforce Identity Federation users can't analyze access in the console (federated).
-
Policy Simulator
:
Workforce Identity Federation users can't simulate changes to an allow policy within the
console (federated).
-
IAM
Recommender
: Workforce Identity Federation users can't view recommendations in the
console (federated).
|
Google Cloud API:
|
The following Policy Intelligence features have API limitations for federated identities:
-
Policy Troubleshooter
:
Federated identities can't check the membership of Google groups in allow
and deny policies, or the membership of Cloud Identity accounts
(domains) in deny policies. When federated identities call the
iam.troubleshoot
method, role bindings and deny rules that contain groups or domains have an access result of
Unknown
, unless the role binding or deny rule also explicitly includes the principal.
-
When calling the
analyzeIamPolicy
or the
analyzeIamPolicyLongrunning
method, federated identities might receive incomplete analysis results because of the following:
-
Federated identities can't check the membership of Google groups in
allow policies. As a result, when federated identities analyze
access for a principal, the query results don't include permissions
and roles that the principal has due to their membership in a group.
-
When analyzing access, federated identities can't enable the
expand-groups
option.
Federated identities can't use the following API methods:
-
Policy
Simulator
: Federated identities can't use the Policy Simulator API
(
policysimulator.googleapis.com
).
-
Activity
Analyzer
: Federated identities can't use the Policy
Analyzer API (
policyanalyzer.googleapis.com
).
-
IAM
Recommender
: Federated identities can't use the Recommender API
(
recommender.googleapis.com
).
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
When publishing a service, DNS configuration is not available.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
Pub/Sub Lite API
doesn't have endpoints that support identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
-
Multi-factor authentication through email cannot be configured by Workforce Identity Federation users. For assistance,
contact sales
.
-
The demonstration website in Cloud Shell isn't supported for Workforce Identity Federation users.
|
Google Cloud API:
|
MigrateKey
isn't supported for federated identities.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Exporting recommendations to BigQuery
isn't supported by Workforce Identity Federation.
|
Google Cloud API:
|
No known limitations
|
Other:
|
Recommender can recommend products and features that are not supported by Workforce Identity Federation.
|
|
|
GA
|
Console (federated):
|
-
Workforce Identity Federation users can only view and operate on the organization for which Workforce Identity Federation was configured. Other organizations to which the users are added are not displayed in the Google Cloud console.
-
Wait times for certain operations to be reflected in the UI are long—for example, creating a project or folder.
|
Google Cloud API:
|
The
Organizations API
doesn't support identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
|
Google Cloud API:
|
The following methods don't support identity federtation:
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
-
Identity federation users must sign in through the Secure Source Manager instance
web interface
before running any of the following commands:
-
Identity federation users must sign in through the Secure Source Manager instance
web interface
after every session expiry to continue using Git SSH CLI commands with user SSH keys.
|
Other:
|
-
A new Secure Source Manager instance must be created to use Workforce Identity Federation. Existing instances can't be updated.
-
Workforce identity pool providers used for Secure Source Manager must provide
google.subject
and
google.email
attribute mappings.
-
You can only use your federated identity to log in to a Secure Source Manager instance that is configured to use Workforce Identity Federation.
-
Email notifications from Secure Source Manager are not supported for Workforce Identity Federation configured instances.
|
|
|
GA
|
Console (federated):
|
The following features are unavailable for Workforce Identity Federation users:
-
Exporting findings to a CSV file
-
Exporting findings to Cloud Storage
-
Send feedback
button
-
Google SecOps export settings cannot be managed in the federated environment, so, in the
Continuous Exports
page, the
Google SecOps
banner is unavailable.
-
Warning dialog communicating that the enablement state is inherited by default in the Service Enablement page
-
The Security posture service cannot be managed using Google Cloud console.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Only the v2 UI pages support Workforce Identity Federation.
|
Google Cloud API:
|
Only the v2 API supports identity federation.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Unsupported
|
Alternatives:
|
No alternatives available
|
|
|
GA
|
Console (federated):
|
When Workforce Identity Federation users create a new model monitoring job, Vertex AI doesn't prefill the alert email input with their email address.
|
Google Cloud API:
|
Vertex AI doesn't send email messages to Workforce Identity Federation users.
|
Other:
|
Colab Enterprise doesn't support Workforce Identity Federation.
|
|
|
Preview
|
Console (federated):
|
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
Video stream playback doesn't work for Workforce Identity Federation users.
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
Identity federation is not supported for LiveConfig and Slate resources when
Google Ad Manager (GAM) fields are set.
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
Preview
|
Console (federated):
|
Autocomplete suggestions aren't supported when adding user identities in the following fields:
|
Google Cloud API:
|
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
No known limitations
|
Google Cloud API:
|
No known limitations
|
Other:
|
No known limitations
|
|
|
GA
|
Console (federated):
|
The
Grant
button, which grants the Workforce Identity Federation user the Service Account
User (
roles/iam.serviceAccountUser
) role on the project, is inactive.
|
Google Cloud API:
|
The
Workflows
and
Workflow Executions
APIs support identity federation; however, when invoking other services
during a workflow execution, identity federation isn't supported.
|
Other:
|
No known limitations
|
|