Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. Google Cloud provisions X.509 credentials issued from Certificate Authority Service that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication.
To achieve this interoperability, managed workload identities are based on
Secure Production Identity Framework For Everyone
(SPIFFE),
which defines a framework and set of standards for identifying and securing
communications between workloads. In SPIFFE, a managed workload identity is
represented using the format
spiffe://POOL_ID.global.PROJECT_NUMBER.workload.id.goog/ns/NAMESPACE_ID/sa/MANAGED_IDENTITY_ID.
Although managed workload identities can be used for authentication to other workloads, they cannot be used for authenticating to Google Cloud APIs.
Resource hierarchy
Managed workload identities are defined within a workload identity pool, which acts as a trust boundary for all identities within the pool. The workload identity pool forms the trust domain component of the managed workload identity's SPIFFE identifier. We recommend creating a new pool for each logical environment in your organization, such as development, staging, or production.
Within a workload identity pool, managed workload identities are organized into administrative boundaries called namespaces. Namespaces help you organize and grant access to related workload identities.
You must allow your workload to use a managed workload identity using an attestation policy before the workload can be issued credentials for the managed workload identity. Workload attestation policies let you define which workload can be issued a credential for a managed workload identity based on the workload's verifiable attributes, such as project ID or resource name. A workload attestation policy ensures that only trusted workloads can use the managed identity.
You can authorize a workload to use a managed workload identity based on the service account that is attached to the workload.
What's next
Learn more about using managed workload identities with Compute Engine workloads.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free