English
Deutsch
Español – América Latina
Français
Indonesia
Italiano
Português – Brasil
中文 – 简体
日本語
한국어

Identity reflection for federated workloads

You can use Certificate Authority Service with workload identity pools and identity reflection to federate a third-party identity and obtain a certificate that attests to this identity.

Identity reflection is a special certificate issuance mode that limits an unprivileged certificate requester to requesting certificates with a SAN corresponding to the identity in their credential. For example, an Cloud Service Mesh workload with a federated third-party identity token might be able to request a certificate with a SAN corresponding to its Mesh identity, but cannot request a certificate with any other SAN.

What's next

Learn how to reflect third-party identities using IAM workload identity federation.
Learn more about SPIFFE.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2024-10-30 UTC.