Identity management for Google Cloud

To use Google Cloud, users and workloads need an identity that Google Cloud can recognize.

This page outlines the methods that you can use to configure identities for users and workloads.

User identities

There are several ways to configure user identities so that Google Cloud can recognize them:

Create Cloud Identity or Google Workspace accounts: Users with Cloud Identity or Google Workspace accounts can authenticate to Google Cloud and be authorized to use Google Cloud resources. Cloud Identity and Google Workspace accounts are user accounts that are managed by your organization.
Set up one of the following federated identity strategies:
- Federation using Cloud Identity or Google Workspace: Sync external identities with corresponding Cloud Identity or Google Workspace accounts so that users can sign in to Google services with their external credentials. With this method, users need two accounts: an external account, and a Cloud Identity or Google Workspace account. You can keep these accounts synchronized using a tool like Google Cloud Directory Sync (GCDS).
- Workforce identity federation: Use an external identity provider (IdP) to authenticate and authorize your users, allowing users to sign in to Google Cloud and access Google resources and products with their external credentials. With workforce identity federation, users only need one account: their external account.

To learn more about these methods for setting up user identities, see User identities overview.

Workload identities

Google Cloud provides service accounts to act as identities for workloads. Instead of granting access to a workload directly, you grant access to a service account, then let the workload use the service account as its identity.

There are several ways that you can let a workload use a service account as its identity. The method you can use depends on where your workloads are running.

If you're running workloads on Google Cloud, you can use the following methods to configure workload identities:

Attached service accounts: Attach a service account to a resource so that the service account acts as the resource's default identity. Any workloads running on the resource use the service account's identity when accessing Google Cloud services.
Short-lived service account credentials: Generate and use short-lived service account credentials whenever your resources need to access to Google Cloud services. The most common types of credentials are OAuth 2.0 access tokens and OpenID Connect (OIDC) ID tokens.
Google Kubernetes Engine Workload Identity: Allow your GKE service account to act as an IAM service account when accessing Google Cloud resources. This type of identity only applies to Google Kubernetes Engine workloads.

If you're running workloads outside of Google Cloud, you can use the following methods to configure workload identities:

Workload identity federation: Use credentials from external identity providers to generate short-lived credentials, which workloads can use to temporarily impersonate service accounts. Workloads can then access Google Cloud resources, using the service account as their identity.
Service account keys: Use the private portion of a service account's public/private RSA key pair to authenticate as the service account.

Important: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.

To learn more about these methods for setting up workload identities, see Workload identities overview.