The managed workload identity feature is a part of the Identity and Access Management API . Managed workload identity simplifies mTLS by automatically provisioning and managing X.509 certificates from the Certificate Authority Service .
Managed workload identity is based on the Secure Production Identity Framework For Everyone (SPIFFE) standard, which provides a framework for identifying, authenticating, and securing communications between workloads using a unique SPIFFE ID.
This page discusses managed workload identity in the context of assigning a managed identity to a load balancer for mTLS authentication. To learn more about managed workload identity for other workloads, see Managed workload identities overview .
SPIFFE ID
A managed identity is represented by a SPIFFE ID. The SPIFFE ID is a URI that uniquely identifies a workload—in the case of backend mTLS, the workload is the backend service of a load balancer. It is formatted as follows:
spiffe:// TRUST_DOMAIN_NAME
/ns/ NAMESPACE_ID
/sa/ MANAGED_IDENTITY_ID
A TRUST_DOMAIN_NAME
is further expanded as follows:
WORKLOAD_IDENTITY_POOL_ID
.global. PROJECT_NUMBER
.workload.id.goog
To bring it all together, Compute Engine workloads, such as the backend service resource of a load balancer, can have a managed identity as follows:
spiffe:// WORKLOAD_IDENTITY_POOL_ID
.global. PROJECT_NUMBER
.workload.id.goog/ns/ NAMESPACE_ID
/sa/ MANAGED_IDENTITY_ID
The following section describes the different managed workload identity resources.
Managed workload identity resource hierarchy
To set up a managed workload identity for a load balancer, you need to create the following resources. These resources are described in the following sections of this document.
- Workload identity pool
- Namespace
- Managed workload identity
- Attestation policy
Workload identity pool
Managed workload identities are defined within a workload identity pool, which serves as a trust domain.
The trust domain represents a logical security boundary within which workloads can authenticate and authorize each other by using their SPIFFE IDs. All workloads within the same trust domain share a common root of trust, which lets the workloads verify each other's identities.
To use managed identities, you need to configure the workload identity pool in a TRUST_DOMAIN
mode. All identities within a pool consist of a
single namespace and an individual workload identifier.
In the following diagram, the load balancer and the backend are a part of the same trust domain, sharing the same root certificate. The root certificate is used to build a trust chain and verify the identity of the workloads within the trust domain.
By default, your workloads within the same trust domain can mutually authenticate using managed workload identities. If you want workloads that are in different trust domains to mutually authenticate, then you need to explicitly declare the trust relationship in the workload identity pool. You do this by creating an inline trust config that recognizes and accepts certificates from other trust domains.
Namespace
Within a workload identity pool, managed workload identities are organized into administrative boundaries called namespaces . Namespaces help you organize and grant access to related workload identities.
Managed workload identity
Managed workload identity or managed identity is a workload identifier that is configured in a workload identity pool. It is attached to a Google Cloud resource. Each managed identity is uniquely identified by a namespace and an individual workload identifier.
In the context of achieving backend mTLS, the managed identity is attached to the backend service resource of the load balancer.
The value of a managed identity is a fully specified SPIFFE ID that must conform to the following format:
spiffe:// WORKLOAD_IDENTITY_POOL_ID
.global. PROJECT_NUMBER
.workload.id.goog/ns/ NAMESPACE_ID
/sa/ MANAGED_IDENTITY_ID
Attestation policy
Managed workload identity for Compute Engine resources requires that you configure attestation policies.
Workload attestation policies contain rules that specify which workloads can be issued an X.509 certificate for a managed workload identity. Attestation policies use verifiable workload attributes—such as project ID or resource name—to ensure that only trusted workloads can use a particular managed identity.
