Managed workload identities lets you bind strongly attested identities to your Google Kubernetes Engine (GKE) and Compute Engine workloads.
Google Cloud provisions X.509 credentials and trust anchors that are issued from Certificate Authority Service. The credentials and trust anchors can be used to reliably authenticate your workload with other workloads through mutual TLS (mTLS) authentication.
Managed workload identities for GKE is available in Preview. Managed workload identities for Compute Engine is available in Preview, by request. Request access to the managed workload identities for Compute Engine Preview.
SPIFFE interoperability
To enable interoperability across dynamic and heterogeneous environments, managed workload identities is based on Secure Production Identity Framework For Everyone (SPIFFE). SPIFFE defines a framework and set of standards for identifying, authenticating, and securing communications between workloads. SPIFFE workloads are identified by a unique SPIFFE ID. In Google Cloud, a SPIFFE ID has the following formats:
Compute Engine workloads:
spiffe://POOL_ID.global.PROJECT_NUMBER.workload.id.goog/ns/NAMESPACE_ID/sa/MANAGED_IDENTITY_IDGKE workloads:
spiffe://PROJECT_ID.svc.id.goog/ns/KUBERNETES_NAMESPACE/sa/KUBERNETES_SERVICE_ACCOUNT
Resource hierarchy
This section describes managed workload identity resources.
Workload identity pools
Managed workload identities are defined within a workload identity pool, which acts as a trust boundary for all identities within the pool. The workload identity pool forms the trust domain component of the managed workload identity's SPIFFE identifier. We recommend creating a new pool for each logical environment in your organization, such as development, staging, or production.
Namespaces
Within a workload identity pool, managed workload identities are organized into administrative boundaries called namespaces. Namespaces help you organize and grant access to related workload identities.
Attestation policies
Managed workload identity for Compute Engine requires that you configure attestation policies.
Managed workload identity for GKE manages attestation policies for you.
Workload attestation policies let you define which workload can be issued a credential for a managed workload identity based on the workload's verifiable attributes, such as project ID or resource name. A workload attestation policy ensures that only trusted workloads can use the managed identity.
What's next
Configure managed workload identity authentication for Compute Engine.
Learn more about using managed workload identities with Compute Engine workloads.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free