Managed workload identities let you bind strongly attested identities to your Compute Engine and Google Kubernetes Engine (GKE) workloads. Google Cloud provisions X.509 credentials issued from Certificate Authority Service that can be used to reliably authenticate your workload with other workloads over mutual TLS (mTLS) authentication.
SPIFFE interoperability
To achieve this interoperability, managed workload identities are based on Secure Production Identity Framework For Everyone (SPIFFE), which defines a framework and set of standards for identifying and securing communications between workloads. In SPIFFE, a managed workload identity is represented using the following formats:
Compute Engine:
spiffe://POOL_ID.global.PROJECT_NUMBER.workload.id.goog/ns/NAMESPACE_ID/sa/MANAGED_IDENTITY_IDGKE:
spiffe://PROJECT_ID.svc.id.goog/ns/KUBERNETES_NAMESPACE/sa/KUBERNETES_SERVICE_ACCOUNT
Resource hierarchy
This section describes managed workload identity resources.
Workload identity pools
Managed workload identities are defined within a workload identity pool, which acts as a trust boundary for all identities within the pool. The workload identity pool forms the trust domain component of the managed workload identity's SPIFFE identifier. We recommend creating a new pool for each logical environment in your organization, such as development, staging, or production.
Namespaces
Within a workload identity pool, managed workload identities are organized into administrative boundaries called namespaces. Namespaces help you organize and grant access to related workload identities.
Attestation policies
Managed workload identity for Compute Engine requires that you configure attestation policies.
Managed workload identity for GKE manages attestation policies for you.
Workload attestation policies let you define which workload can be issued a credential for a managed workload identity based on the workload's verifiable attributes, such as project ID or resource name. A workload attestation policy ensures that only trusted workloads can use the managed identity.
What's next
Configure managed workload identity authentication for Compute Engine.
Learn more about using managed workload identities with Compute Engine workloads.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free