Stay organized with collections
Save and categorize content based on your preferences.
To use Google Cloud, users and workloads need an identity that
Google Cloud can recognize.
This page outlines the methods that you can use to configure identities for
users and workloads.
User identities
There are several ways to configure user identities so that Google Cloud
can recognize them:
Create Cloud Identity or Google Workspace accounts: Users with
Cloud Identity or Google Workspace accounts can authenticate
to Google Cloud and be authorized to use Google Cloud resources.
Cloud Identity and Google Workspace accounts are user accounts
that are managed by your organization.
Set up one of the following federated identity strategies:
Federation using Cloud Identity or Google Workspace:
Sync external identities with corresponding Cloud Identity or
Google Workspace accounts so that users can sign in to Google
services with their external credentials. With this method, users need two
accounts: an external account, and a Cloud Identity or
Google Workspace account. You can keep these accounts synchronized
using a tool like Google Cloud Directory Sync
(GCDS).
Workforce Identity Federation: Use your external identity provider (IdP)
to sign in your users to Google Cloud and let them access
Google Cloud resources and products.
With Workforce Identity Federation, users need only one account: their
external account. This type of user identity is sometimes referred to as a
federated identity.
Google Cloud provides the following types of identity services for workloads:
Workload Identity Federation
lets your workloads access most Google Cloud services by using an
identity that is provided by an IdP. Workloads that use
Workload Identity Federation can run on Google Cloud,
Google Kubernetes Engine (GKE), or other platforms, such as AWS, Azure, and
GitHub.
Google Cloud service accounts can act as
identities for workloads. Instead of granting access to a workload directly,
you grant access to a service account, then let the workload use the service
account as its identity.
Managed workload identities(Preview)
let you bind strongly attested identities to your Compute Engine
workloads. You can use managed workload identities to authenticate your
workloads to other workloads using mutual TLS (mTLS),
but they cannot be used for authenticating to Google Cloud APIs.
The methods that you can use depend on where your workloads are running.
If you're running workloads on Google Cloud, you can use the following
methods to configure workload identities:
Workload Identity Federation for GKE: Grant IAM access to
GKE clusters and Kubernetes service accounts. Doing so lets the
clusters' workloads access most Google Cloud services directly, without
using IAM service account impersonation.
Attached service accounts: Attach a service account to a resource so that
the service account acts as the resource's default identity. Any workloads
running on the resource use the service account's identity when accessing
Google Cloud services.
Short-lived service account credentials: Generate and use short-lived
service account credentials whenever your resources need to access to
Google Cloud services. The most common types of credentials are
OAuth 2.0 access tokens and OpenID Connect (OIDC) ID tokens.
If you're running workloads outside of Google Cloud, you can use the
following methods to configure workload identities:
Workload Identity Federation: Use credentials from external identity
providers to generate short-lived credentials, which workloads can use to
temporarily impersonate service accounts. Workloads can then access
Google Cloud resources, using the service account as their identity.
Service account keys: Use the private portion of a service account's
public/private RSA key pair to authenticate as the service account.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eGoogle Cloud requires users and workloads to have a recognizable identity for access.\u003c/p\u003e\n"],["\u003cp\u003eUser identities can be established through Cloud Identity/Google Workspace accounts or by setting up federated identity strategies.\u003c/p\u003e\n"],["\u003cp\u003eWorkload identities on Google Cloud can use Workload Identity Federation, Google Cloud service accounts, or managed workload identities.\u003c/p\u003e\n"],["\u003cp\u003eWorkload identities for workloads outside of Google Cloud can leverage Workload Identity Federation or service account keys, with the latter carrying security risks.\u003c/p\u003e\n"],["\u003cp\u003eThe method to choose to configure a workload identity depends on where the workloads are running, in or out of Google cloud.\u003c/p\u003e\n"]]],[],null,["# Identity management for Google Cloud\n\nTo use Google Cloud, users and workloads need an identity that\nGoogle Cloud can recognize.\n\nThis page outlines the methods that you can use to configure identities for\nusers and workloads.\n\nUser identities\n---------------\n\nThere are several ways to configure user identities so that Google Cloud\ncan recognize them:\n\n- **Create Cloud Identity or Google Workspace accounts**: Users with Cloud Identity or Google Workspace accounts can authenticate to Google Cloud and be authorized to use Google Cloud resources. Cloud Identity and Google Workspace accounts are user accounts that are managed by your organization.\n\n| **Note:** Google Workspace accounts may have one or more *[alternate email addresses (email alias)](https://support.google.com/a/answer/33327)* . If you grant a role to a principal's *email alias* , the role is granted to the *primary email* instead. It's not possible to grant a role to only the *email alias*.\n| **Warning:** Granting a role to a principal's *email alias* reveals the *primary email*.\n\n- **Set up one of the following federated identity strategies**:\n\n - **Federation using Cloud Identity or Google Workspace** : Sync external identities with corresponding Cloud Identity or Google Workspace accounts so that users can sign in to Google services with their external credentials. With this method, users need two accounts: an external account, and a Cloud Identity or Google Workspace account. You can keep these accounts synchronized using a tool like [Google Cloud Directory Sync\n (GCDS)](https://tools.google.com/dlpage/dirsync/).\n - **Workforce Identity Federation** : Use your external identity provider (IdP) to sign in your users to Google Cloud and let them access Google Cloud resources and products. With Workforce Identity Federation, users need only one account: their external account. This type of user identity is sometimes referred to as a *federated identity*.\n\nTo learn more about these methods for setting up user identities, see\n[User identities overview](/iam/docs/user-identities).\n\nWorkload identities\n-------------------\n\nGoogle Cloud provides the following types of identity services for workloads:\n\n- [**Workload Identity Federation**](/iam/docs/workload-identity-federation)\n lets your workloads access most Google Cloud services by using an\n identity that is provided by an IdP. Workloads that use\n Workload Identity Federation can run on Google Cloud,\n Google Kubernetes Engine (GKE), or other platforms, such as AWS, Azure, and\n GitHub.\n\n- [**Google Cloud service accounts**](/iam/docs/service-account-overview) can act as\n identities for workloads. Instead of granting access to a workload directly,\n you grant access to a service account, then let the workload use the service\n account as its identity.\n\n- [**Managed workload identities**](/iam/docs/managed-workload-identity) [**(Preview)**](/products#product-launch-stages)\n let you bind strongly attested identities to your Compute Engine\n workloads. You can use managed workload identities to authenticate your\n workloads to other workloads using [mutual TLS (mTLS)](https://en.wikipedia.org/wiki/Mutual_authentication),\n but they cannot be used for authenticating to Google Cloud APIs.\n\nThe methods that you can use depend on where your workloads are running.\n\nIf you're running workloads on Google Cloud, you can use the following\nmethods to configure workload identities:\n\n- **Workload Identity Federation for GKE**: Grant IAM access to\n GKE clusters and Kubernetes service accounts. Doing so lets the\n clusters' workloads access most Google Cloud services directly, without\n using IAM service account impersonation.\n\n- **Attached service accounts**: Attach a service account to a resource so that\n the service account acts as the resource's default identity. Any workloads\n running on the resource use the service account's identity when accessing\n Google Cloud services.\n\n- **Short-lived service account credentials**: Generate and use short-lived\n service account credentials whenever your resources need to access to\n Google Cloud services. The most common types of credentials are\n OAuth 2.0 access tokens and OpenID Connect (OIDC) ID tokens.\n\nIf you're running workloads outside of Google Cloud, you can use the\nfollowing methods to configure workload identities:\n\n- **Workload Identity Federation**: Use credentials from external identity providers to generate short-lived credentials, which workloads can use to temporarily impersonate service accounts. Workloads can then access Google Cloud resources, using the service account as their identity.\n- **Service account keys**: Use the private portion of a service account's\n public/private RSA key pair to authenticate as the service account.\n\n | **Important:** Service account keys are a security risk if not managed correctly. You should [choose a more secure alternative to service account keys](/docs/authentication#auth-decision-tree) whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by [Best practices for managing service account keys](/iam/docs/best-practices-for-managing-service-account-keys). If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see [Managing secure-by-default organization resources](/resource-manager/docs/secure-by-default-organizations).\n |\n |\n | If you acquired the service account key from an external source, you must validate it before use.\n | For more information, see [Security requirements for externally sourced credentials](/docs/authentication/external/externally-sourced-credentials).\n\nTo learn more about these methods for setting up workload identities, see\n[Workload identities overview](/iam/docs/workload-identities)."]]
