Choose a workload authentication method
This document describes how you authenticate applications orworkloads that are either running in a production environment onCompute Engine, or being tested locally for future deployment to theproduction environment. You can do the following:
- Authenticate your workloads to use Google APIs
- Authenticate your workloads to other workloads over mTLS
Authenticate your workloads to use Google APIs
Use the following table to determine which authentication method to usefor your workloads.
| Task | Method |
|---|---|
| Authenticate apps or workloads that are in production | Use the service account that is attached to the VM. This is the most common method for authenticating apps and workloads that are running on virtual machine (VM) instances on Google Cloud. For detailed instructions, see Authenticate workloads to Google Cloud APIs using service accounts. |
| Authenticate apps or workloads that are in development | Use Google Cloud SDK and Application Default Credentials. For more information, seeSet up ADC for a local development environment. |
| Authorizing apps and workloads that need access to end-user resources | If you are building development or administration tools where users grant you access to their Google Cloud resources, get your application access to user resources by using OAuth 2.0. For detailed instructions, see Using OAuth 2.0 for Web Server Applications. In your request, specify an access scope that limits your access to only the methods and user information that your application requires. For a full list of services and required scopes across Google Cloud, see OAuth 2.0 Scopes for Google APIs. |
Authenticate your workloads to other workloads over mTLS
Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
For information about access to this release, see theaccess request page.
You can authenticate applications or workloads usingmanaged workload identities. Thisauthentication method uses a service account, certificate authority (CA) pools,and managed workload identities.
Managed workload identities let you bind strongly attested identities toyour Compute Engine workloads. Google Cloud provisions X.509 credentialsissued from theCertificate Authority Service that canbe used to reliably authenticate your workload with other workloads overmutual TLS (mTLS)authentication.
Your workload uses the managed workload identity as itsidentity when it authenticates to other workloads using mutual TLS (mTLS),and uses the service account as its identity when it accesses otherGoogle Cloud services and resources.
For more information, seeAuthenticate workloads to other workloads over mTLS.
What's next
- Learn more about the following concepts:
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.