Identity (also known as a workload identity) is one of the four Control Plane principal types (users, service accounts, groups, and identities).
A workload needing to consume cloud resources from one or more cloud providers (e.g., AWS, Azure, and GCP) without storing credentials or needing to communicate to endpoints within a private network - must be assigned an identity.
An identity is a named object that allows an authorized administrator to define:
An identity is scoped to a GVC and can be assigned to multiple workloads within the same GVC needing the same cloud resources and network access.
A workload can be assigned exactly one identity. An identity is only required when a workload needs to consume cloud resources without embedding credentials and/or when a workload needs to consume resources in a private network such as a VPC. If neither is required, a workload can operate without assigning it an identity.
Once configured, an identity assigned to a workload enables it to:
Identities are powerful Control Plane resources that can be granted any permission to your cloud environment. The ability to create identities should only be given to administrators by using a policy.
Refer to the Create an Identity guide for additional details.
The permissions below are used to define policies together with one or more of the four principal types:
Permission | Description | Implies |
---|---|---|
create | Create new identities | |
delete | Delete existing identities | |
edit | Modify existing identities | view |
manage | Full access | create, delete, edit, manage, use, view |
use | Refer to this identity from other entities (workload, etc) | view |
view | Read-only access |
Displays the permissions granted to principals for the identity.
To view the CLI documentation for Identities, click here