Stay organized with collections
Save and categorize content based on your preferences.
This document describes how you authenticate applications or
workloads that are either running in a production environment on
Compute Engine, or being tested locally for future deployment to the
production environment. You can do the following:
Authenticate your workloads to use Google APIs
Authenticate your workloads to other workloads over mTLS
Authenticate your workloads to use Google APIs
Use the following table to determine which authentication method to use
for your workloads.
Task
Method
Authenticate apps or workloads that are in production
Use the service account that is attached to the VM.
Authorizing apps and workloads that need access to end-user resources
If you are building development or administration tools where users
grant you access to their Google Cloud resources, get your application
access to user resources by using OAuth 2.0. For detailed instructions,
see
Using OAuth 2.0 for Web Server Applications.
In your request, specify an access scope that limits your access to
only the methods and user information that your application requires.
For a full list of services and required scopes across Google Cloud,
see
OAuth 2.0 Scopes for Google APIs.
Authenticate your workloads to other workloads over mTLS
You can authenticate applications or workloads using
managed workload identities. This
authentication method uses a service account, certificate authority (CA) pools,
and managed workload identities.
Managed workload identities let you bind strongly attested identities to
your Compute Engine workloads. Google Cloud provisions X.509 credentials
issued from the Certificate Authority Service that can
be used to reliably authenticate your workload with other workloads over
mutual TLS (mTLS)
authentication.
Your workload uses the managed workload identity as its
identity when it authenticates to other workloads using mutual TLS (mTLS),
and uses the service account as its identity when it accesses other
Google Cloud services and resources.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis document outlines how to authenticate applications or workloads in production on Compute Engine or during local testing for future deployment.\u003c/p\u003e\n"],["\u003cp\u003eWorkloads running on Google Cloud VMs in production should use the attached service account for authentication to access Google APIs.\u003c/p\u003e\n"],["\u003cp\u003eWorkloads in development can utilize the Google Cloud SDK and Application Default Credentials for authentication, and for access to end-user resources, they can leverage OAuth 2.0.\u003c/p\u003e\n"],["\u003cp\u003eManaged workload identities are available for strongly attesting identities to Compute Engine workloads, using X.509 credentials for mutual TLS (mTLS) authentication between workloads.\u003c/p\u003e\n"],["\u003cp\u003eManaged workload identities can authenticate to other workloads using mTLS, while the service account provides authentication to other Google Cloud services.\u003c/p\u003e\n"]]],[],null,["# Choose a workload authentication method\n\n*** ** * ** ***\n\nThis document describes how you authenticate applications or\nworkloads that are either running in a production environment on\nCompute Engine, or being tested locally for future deployment to the\nproduction environment. You can do the following:\n\n- Authenticate your workloads to use Google APIs\n- Authenticate your workloads to other workloads over mTLS\n\nAuthenticate your workloads to use Google APIs\n----------------------------------------------\n\nUse the following table to determine which authentication method to use\nfor your workloads.\n\nAuthenticate your workloads to other workloads over mTLS\n--------------------------------------------------------\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the\n| General Service Terms section of the\n| [Service Specific Terms](/terms/service-terms#1).\n| Pre-GA features are available \"as is\" and might have limited support. For more\n| information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n|\n| For information about access to this release, see the\n| [access request page](https://forms.gle/KC1Lq77gMn3kTtWDA).\n\nYou can authenticate applications or workloads using\n[managed workload identities](/iam/docs/managed-workload-identity). This\nauthentication method uses a service account, certificate authority (CA) pools,\nand managed workload identities.\n\nManaged workload identities let you bind strongly attested identities to\nyour Compute Engine workloads. Google Cloud provisions X.509 credentials\nissued from the [Certificate Authority Service](/certificate-authority-service) that can\nbe used to reliably authenticate your workload with other workloads over\n[mutual TLS (mTLS)](/chrome-enterprise-premium/docs/understand-mtls)\nauthentication.\n\nYour workload uses the managed workload identity as its\nidentity when it authenticates to other workloads using mutual TLS (mTLS),\nand uses the service account as its identity when it accesses other\nGoogle Cloud services and resources.\n\nFor more information, see\n[Authenticate workloads to other workloads over mTLS](/compute/docs/access/authenticate-workloads-over-mtls).\n\nWhat's next\n-----------\n\n- Learn more about the following concepts:\n - [Authenticate to Compute Engine](/compute/docs/authentication)\n - [Authentication methods at Google](/docs/authentication)\n - [Managed workload identities](/iam/docs/managed-workload-identity)"]]
