Overview

Identity (also known as a workload identity) is one of the four Control Plane principal types (users, service accounts, groups, and identities). A workload needing to consume cloud resources from one or more cloud providers (e.g., AWS, Azure, and GCP) without storing credentials or needing to communicate to endpoints within a private network - must be assigned an identity. An identity is a named object that allows an authorized administrator to define:

Cloud Access (Universal Cloud Identity)

  • Least-privilege access rules allowed on cloud resources across cloud providers. There can only be one account each being referenced from a particular identity. In other words, you can have one account in Azure and one account in GCP, but not two different accounts in GCP in the same identity. You define access policy granted to the identity within the three clouds, of course, you can use one, two or three clouds, depending on what the workload needs access to.

Network Resources (Cloud Wormhole)

  • Network traversal rules from workloads into specific endpoints in private networks (e.g., a VPC). These rules connect an agent in a private network to the Control Plane fabric allowing workloads to selectively access TCP endpoints inside private networks where agents are installed and running.

Native Networking

  • Provides secure, private connectivity from a workload to cloud-hosted services across AWS and GCP without traversing the public internet. It leverages cloud provider-specific private networking services to route traffic over internal infrastructure. This enables low-latency, secure communication to private resources while maintaining strict network isolation and identity-based access control.
An identity is scoped to a GVC and can be assigned to multiple workloads within the same GVC that needs the same cloud resources and network access. A workload can be assigned exactly one identity. An identity is only required when a workload needs to consume cloud resources without embedding credentials and/or when a workload needs to consume resources in a private network such as a VPC. If neither is required, a workload can operate without assigning it an identity. Once configured, an identity assigned to a workload enables it to:
  • Access specific resources of AWS, Azure, and/or GCP
  • Tunnel workload network requests to specific TCP endpoints within VPCs or other private networks. (Tunneling network traffic from workloads to specific TCP hosts and ports is facilitated using agents. This capability is referred to as “wormholes”.)
Identities are powerful Control Plane resources that can be granted any permission to your cloud environment. The ability to create identities should only be given to administrators by using a policy.

Create an Identity

Refer to the Create an Identity guide for additional details.

Permissions

The permissions below are used to define policies together with one or more of the four principal types:
PermissionDescriptionImplies
createCreate new identities
deleteDelete existing identities
editModify existing identitiesview
manageFull accesscreate, delete, edit, manage, use, view
useRefer to this identity from other entities (workload, etc)view
viewRead-only access

Access Report

Displays the permissions granted to principals for the identity.

CLI

To view the CLI documentation for Identities, click here.