This topic describes authentication information for Workflows. There are two types of authentication discussed on this page:
Access control
For both types of authentication, it's important to understand access control and Workflows's available roles. Roles contain permissions that grant access to resources in Google Cloud. When building a production application, only grant an identity the roles it needs in order to interact with applicable Google Cloud APIs, features, or resources.
For more information about the available Workflows roles, see Workflows access control.
Authenticating to Workflows
Workflows supports the following authentication methods for accessing Workflows resources.
Service accounts
Service accounts are recommended for almost all use cases, whether you are developing locally or in a production application. For more information about setting up authentication with a production application, see Authenticating as a service account. You can grant a service account one or more roles that allow access to resources in Google Cloud, including Workflows resources.
Making authenticated requests from within a workflow
To send authenticated requests, your workflow must be associated with a service account that has been granted one or more Identity and Access Management roles containing the required permissions. You must also explicitly add authentication information to your workflow definition. By default, HTTP requests do not contain identity or access tokens for security reasons.
Each workflow created is associated with an IAM service account at the time the workflow is created. If you don't specify a service account during workflow creation, the workflow uses the default Compute Engine service account for its identity.
When making requests to other Google Cloud services, the workflow must be associated with a service account that has the correct permissions to access the requested resources.
To make an authenticated request within a workflow, you can use either OAuth 2.0 or OpenID Connect (OIDC) depending on the service you are calling.
Use OAuth 2.0 to connect with all Google Cloud APIs, such as the
Compute Engine API or the Firestore API. Any API that ends with a host name of
.googleapis.com
accepts this authentication method.
Use OIDC to connect with Cloud Functions or Cloud Run.
Verifying a workflow's associated service account
To verify which service account is associated with a particular workflow:
Console
Go to the Workflows page in theGoogle Cloud Console:
Go to the Workflows pageOn the Workflows page in the console, select the workflow to be taken to its details page.
On the Workflow details page, select the Definition tab to pull up the workflow's details.
The Definition tab displays the workflow's associated service account.
gcloud
Open a terminal.
Enter the following command:
gcloud beta workflows describe MY_WORKFLOW
Replace MY_WORKFLOW with the name of your workflow.
The command returns the associated service account with the full workflow description:
createTime: '2020-06-05T23:45:34.154213774Z' name: projects/myProject/locations/us-central1/workflows/myWorkflow serviceAccount: projects/my-project/serviceAccounts/012345678901-compute@developer.gserviceaccount.com sourceContents: ...
Making authenticated requests to Google APIs
A workflow's service account can generate OAuth 2.0 tokens that the workflow can
use to authenticate to any Google API. When you use this authentication method,
the workflow authenticates as its associated service account. To make an HTTP
request using the OAuth 2.0 protocol, add an auth
section to the args
section of your workflow's definition, after you specify the URL. In this
example, a request is sent to the Compute Engine API to stop a VM:
- step_A:
call: http.post
args:
url: https://compute.googleapis.com/compute/v1/projects/myproject1234/zones/us-central1-b/instances/myvm001/stop
auth:
type: OAuth2
[scope:]
The scope
parameter is optional, but can be used to specify the OAuth 2.0
scope for the token. By default, it's set to
https://www.googleapis.com/auth/cloud-platform
.
Making requests to Cloud Run or Cloud Functions
When making requests to Cloud Run or Cloud Functions, use OIDC to authenticate.
To make an HTTP request using OIDC, add an auth
section to the args
section
of your workflow's definition, after you specify the URL. In this example, a
request is sent to invoke a Cloud Functions:
- step_A:
call: http.get
args:
url: https://us-central1-project.cloudfunctions.net/functionA
query:
firstNumber: 4
secondNumber: 6
operation: sum
auth:
type: OIDC
[audience:]
The audience
parameter is optional, but can be used to specify the OIDC
audience for the token. By default, it's set to the same value as url
.
What's next
To learn more about Google Cloud authentication, see the Authentication overview.
Learn how to grant, change, and revoke access to resources.
Get started with Workflows by following a quickstart.
Learn how to create a new workflow and update an existing workflow.