Choose a workload authentication method


This document describes how you authenticate applications or workloads that are either running in a production environment on Compute Engine, or being tested locally for future deployment to the production environment. You can do the following:

  • Authenticate your workloads to use Google APIs
  • Authenticate your workloads to other workloads over mTLS

Authenticate your workloads to use Google APIs

Use the following table to determine which authentication method to use for your workloads.

Task Method
Authenticate apps or workloads that are in production

Use the service account that is attached to the VM.


This is the most common method for authenticating apps and workloads that are running on virtual machine (VM) instances on Google Cloud. For detailed instructions, see Authenticate workloads to Google Cloud APIs using service accounts.

Authenticate apps or workloads that are in development Use Google Cloud SDK and Application Default Credentials. For more information, see Set up ADC for a local development environment.
Authorizing apps and workloads that need access to end-user resources

If you are building development or administration tools where users grant you access to their Google Cloud resources, get your application access to user resources by using OAuth 2.0. For detailed instructions, see Using OAuth 2.0 for Web Server Applications.


In your request, specify an access scope that limits your access to only the methods and user information that your application requires. For a full list of services and required scopes across Google Cloud, see OAuth 2.0 Scopes for Google APIs.

Authenticate your workloads to other workloads over mTLS

You can authenticate applications or workloads using managed workload identities. This authentication method uses a service account, certificate authority (CA) pools, and managed workload identities.

Managed workload identities let you bind strongly attested identities to your Compute Engine workloads. Google Cloud provisions X.509 credentials issued from the Certificate Authority Service that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication.

Your workload uses the managed workload identity as its identity when it authenticates to other workloads using mutual TLS (mTLS), and uses the service account as its identity when it accesses other Google Cloud services and resources.

For more information, see Authenticate workloads to other workloads over mTLS.

What's next