Identity reflection for federated workloads
You can use Certificate Authority Service with workload identity pools and identity reflection to federate a third-party identity and obtain a certificate that attests to this identity.
Identity reflection is a special certificate issuance mode that limits an unprivileged certificate requester to requesting certificates with a SAN corresponding to the identity in their credential. For example, an Cloud Service Mesh workload with a federated third-party identity token might be able to request a certificate with a SAN corresponding to its Mesh identity, but cannot request a certificate with any other SAN.
What's next
- Learn how to reflect third-party identities using IAM workload identity federation.
- Learn more about SPIFFE.