Stay organized with collections
Save and categorize content based on your preferences.
Managed workload identities lets you bind strongly attested identities to your
Google Kubernetes Engine (GKE) and Compute Engine workloads.
Google Cloud provisions X.509 credentials and trust anchors that are issued from
Certificate Authority Service. The credentials and
trust anchors can be used to reliably authenticate your workload with other
workloads through mutual TLS (mTLS)
authentication.
To enable interoperability across dynamic and heterogeneous environments,
managed workload identities is based on Secure Production Identity Framework For Everyone (SPIFFE).
SPIFFE defines a framework and set of standards for identifying, authenticating,
and securing communications between workloads. SPIFFE workloads are identified
by a unique SPIFFE ID. In Google Cloud, a SPIFFE ID has the following
formats:
This section describes managed workload identity resources.
Workload identity pools
Managed workload identities are defined within a workload identity pool,
which acts as a trust boundary for all identities within the pool. The workload
identity pool forms the trust domain component of the managed workload
identity's SPIFFE identifier. We recommend creating a new pool for each logical
environment in your organization, such as development, staging, or production.
Namespaces
Within a workload identity pool, managed workload identities are organized
into administrative boundaries called namespaces. Namespaces help you
organize and grant access to related workload identities.
Attestation policies
Managed workload identity for Compute Engine requires that you configure
attestation policies.
Managed workload identity for GKE manages attestation policies
for you.
Workload attestation policies let you define which workload can be issued a
credential for a managed workload identity based on the workload's verifiable
attributes, such as project ID or resource name. A workload attestation policy
ensures that only trusted workloads can use the managed identity.
If you're new to Google Cloud, create an account to evaluate how our
products perform in real-world scenarios. New customers also get $300 in
free credits to run, test, and deploy workloads.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eManaged workload identities bind strongly attested identities to Compute Engine workloads, enabling reliable authentication with other workloads via mutual TLS (mTLS).\u003c/p\u003e\n"],["\u003cp\u003eThese identities are provisioned with X.509 credentials from Certificate Authority Service and adhere to the Secure Production Identity Framework For Everyone (SPIFFE) standards.\u003c/p\u003e\n"],["\u003cp\u003eManaged workload identities cannot authenticate with Google Cloud APIs, but they are structured within workload identity pools, which establish trust boundaries for identities.\u003c/p\u003e\n"],["\u003cp\u003eWorkload attestation policies are required to ensure only trusted workloads can use a managed identity by defining which workloads can obtain credentials based on their verifiable attributes.\u003c/p\u003e\n"],["\u003cp\u003eNamespaces are used within a pool to organize workload identities and create administrative boundaries, to help grant access to related identities.\u003c/p\u003e\n"]]],[],null,["# Managed workload identities overview\n\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the\n| General Service Terms section of the\n| [Service Specific Terms](/terms/service-terms#1).\n| Pre-GA features are available \"as is\" and might have limited support. For more\n| information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nManaged workload identities lets you bind strongly attested identities to your\nGoogle Kubernetes Engine (GKE) and Compute Engine workloads.\n\nGoogle Cloud provisions X.509 credentials and trust anchors that are issued from\n[Certificate Authority Service](/certificate-authority-service). The credentials and\ntrust anchors can be used to reliably authenticate your workload with other\nworkloads through [mutual TLS (mTLS)](/chrome-enterprise-premium/docs/understand-mtls)\nauthentication.\n\nManaged workload identities for GKE is available in [Preview](/products#product-launch-stages).\nManaged workload identities for Compute Engine is available in [Preview](/products#product-launch-stages),\nby request. [Request access to the managed workload identities for Compute Engine Preview](https://forms.gle/KC1Lq77gMn3kTtWDA).\n\nSPIFFE interoperability\n-----------------------\n\nTo enable interoperability across dynamic and heterogeneous environments,\nmanaged workload identities is based on [Secure Production Identity Framework For Everyone (SPIFFE)](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/).\nSPIFFE defines a framework and set of standards for identifying, authenticating,\nand securing communications between workloads. SPIFFE workloads are identified\nby a unique SPIFFE ID. In Google Cloud, a SPIFFE ID has the following\nformats:\n\n- Compute Engine workloads:\n\n `spiffe://`\u003cvar translate=\"no\"\u003ePOOL_ID\u003c/var\u003e`.global.`\u003cvar translate=\"no\"\u003ePROJECT_NUMBER\u003c/var\u003e`.workload.id.goog/ns/`\u003cvar translate=\"no\"\u003eNAMESPACE_ID\u003c/var\u003e`/sa/`\u003cvar translate=\"no\"\u003eMANAGED_IDENTITY_ID\u003c/var\u003e\n- GKE workloads:\n\n `spiffe://`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`.svc.id.goog/ns/`\u003cvar translate=\"no\"\u003eKUBERNETES_NAMESPACE\u003c/var\u003e`/sa/`\u003cvar translate=\"no\"\u003eKUBERNETES_SERVICE_ACCOUNT\u003c/var\u003e\n\nResource hierarchy\n------------------\n\nThis section describes managed workload identity resources.\n\n### Workload identity pools\n\nManaged workload identities are defined within a *workload identity pool*,\nwhich acts as a trust boundary for all identities within the pool. The workload\nidentity pool forms the trust domain component of the managed workload\nidentity's SPIFFE identifier. We recommend creating a new pool for each logical\nenvironment in your organization, such as development, staging, or production.\n\n### Namespaces\n\nWithin a workload identity pool, managed workload identities are organized\ninto administrative boundaries called *namespaces*. Namespaces help you\norganize and grant access to related workload identities.\n\n### Attestation policies\n\nManaged workload identity for Compute Engine requires that you configure\n*attestation policies*.\n\nManaged workload identity for GKE manages attestation policies\nfor you.\n\nWorkload attestation policies let you define which workload can be issued a\ncredential for a managed workload identity based on the workload's verifiable\nattributes, such as project ID or resource name. A workload attestation policy\nensures that only trusted workloads can use the managed identity.\n\nWhat's next\n-----------\n\n- [Configure managed workload identity authentication for Compute Engine](/iam/docs/create-managed-workload-identities).\n\n- [Configure managed workload identity authentication for GKE](/iam/docs/create-managed-workload-identities-gke).\n\n- Learn more about [using managed workload identities with Compute Engine\n workloads](/compute/docs/access/authenticate-workloads-over-mtls).\n\nTry it for yourself\n-------------------\n\n\nIf you're new to Google Cloud, create an account to evaluate how our\nproducts perform in real-world scenarios. New customers also get $300 in\nfree credits to run, test, and deploy workloads.\n[Get started for free](https://console.cloud.google.com/freetrial)"]]
