Managed workload identities overview
Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
Managed workload identities lets you bind strongly attested identities to yourGoogle Kubernetes Engine (GKE) and Compute Engine workloads.
Google Cloud provisions X.509 credentials and trust anchors that are issued fromCertificate Authority Service. The credentials andtrust anchors can be used to reliably authenticate your workload with otherworkloads throughmutual TLS (mTLS)authentication.
Managed workload identities for GKE is available inPreview.Managed workload identities for Compute Engine is available inPreview,by request.Request access to the managed workload identities for Compute Engine Preview.
SPIFFE interoperability
To enable interoperability across dynamic and heterogeneous environments,managed workload identities is based onSecure Production Identity Framework For Everyone (SPIFFE).SPIFFE defines a framework and set of standards for identifying, authenticating,and securing communications between workloads. SPIFFE workloads are identifiedby a unique SPIFFE ID. In Google Cloud, a SPIFFE ID has the followingformats:
Compute Engine workloads:
spiffe://POOL_ID.global.PROJECT_NUMBER.workload.id.goog/ns/NAMESPACE_ID/sa/MANAGED_IDENTITY_IDGKE workloads:
spiffe://PROJECT_ID.svc.id.goog/ns/KUBERNETES_NAMESPACE/sa/KUBERNETES_SERVICE_ACCOUNT
Resource hierarchy
This section describes managed workload identity resources.
Workload identity pools
Managed workload identities are defined within aworkload identity pool,which acts as a trust boundary for all identities within the pool. The workloadidentity pool forms the trust domain component of the managed workloadidentity's SPIFFE identifier. We recommend creating a new pool for each logicalenvironment in your organization, such as development, staging, or production.
Namespaces
Within a workload identity pool, managed workload identities are organizedinto administrative boundaries callednamespaces. Namespaces help youorganize and grant access to related workload identities.
Attestation policies
Managed workload identity for Compute Engine requires that you configureattestation policies.
Managed workload identity for GKE manages attestation policiesfor you.
Workload attestation policies let you define which workload can be issued acredential for a managed workload identity based on the workload's verifiableattributes, such as project ID or resource name. A workload attestation policyensures that only trusted workloads can use the managed identity.
What's next
Configure managed workload identity authentication for Compute Engine.
Learn more aboutusing managed workload identities with Compute Engineworkloads.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for freeExcept as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.