Stay organized with collections
Save and categorize content based on your preferences.
Identity reflection for federated workloads
You can use Certificate Authority Service with workload identity pools
and identity reflection to federate a third-party identity and obtain a certificate
that attests to this identity.
Identity reflection is a special certificate issuance mode that limits an
unprivileged certificate requester to requesting certificates with a subject
alternative name (SAN) corresponding to the identity in their credential. For
example, an Cloud Service Mesh
workload with a federated third-party identity token might be able to request a
certificate with a SAN corresponding to its Mesh identity, but cannot request a
certificate with any other SAN.
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-03-05 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["Identity reflection allows federating a third-party identity to obtain a certificate that attests to that identity through the Certificate Authority Service and workload identity pools."],["This process restricts certificate requesters to only request certificates with a subject alternative name (SAN) that matches their identity."],["Identity reflection is especially useful for workloads, like those in Cloud Service Mesh, that use federated third-party identity tokens."],["You can use Identity reflection with IAM workload identity federation to reflect third-party identities."]]],[]]
