Identity reflection for federated workloads

You can use Certificate Authority Service with workload identity pools and identity reflection to federate a third-party identity and obtain a certificate that attests to this identity.

Identity reflection is a special certificate issuance mode that limits an unprivileged certificate requester to requesting certificates with a subject alternative name (SAN) corresponding to the identity in their credential. For example, an Cloud Service Mesh workload with a federated third-party identity token might be able to request a certificate with a SAN corresponding to its Mesh identity, but cannot request a certificate with any other SAN.

What's next

Learn how to reflect third-party identities using IAM workload identity federation.
Learn more about SPIFFE .

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-11 UTC.

Create a Mobile Website

View Site in Mobile | Classic

Share by: