Identity federation: products and limitations

• Performance and Backups summary cards
• Data in the clusters table, such as CPU percentage and Memory Available

• Features in Preview aren't supported for Workforce Identity Federation users. This includes the following features:

  • Looker Studio integration
  • Risk assessment
  • Shadow API discovery

• Local development with Apigee in Cloud Code isn't supported for Workforce Identity Federation users.

• API Management APIs don't support Workforce Identity Federation users.

• Apigee Connect APIs don't support Workforce Identity Federation users.

• OAuth client management isn't supported.
• OAuth brand management isn't supported.

• Container Registry doesn't support identity federation. There is an information banner in the settings page in Container Registry transition .

• The following features don't support Workforce Identity Federation with BigQuery:
  • Connected Sheets
  • Google Drive
  • Recommendations
  • Slot estimator
• The following operations don't support Workforce Identity Federation:
  • Loading data from Amazon S3 , Apache Spark , or Azure Blob Storage through the Connection API
  • Loading data from Google Drive

analyzeMove isn't supported by identity federation.

• Only invoiced billing accounts are supported.

• Only invoiced billing accounts support identity federation.

• Cloud Composer supports Workforce Identity Federation only for environments created in Composer version 2.1.11 or later and Airflow version 2.4.3 or later. Upgrading an environment from an earlier version does not enable Workforce Identity Federation support.
• Email messages sent from Airflow only include the Airflow UI link that is accessible by Google accounts. To access Airflow UI as a Workforce Identity Federation user, the link must be manually updated (changed to the URL for Workforce Identity Federation ).
• Cloud Storage limitations apply to Cloud Composer environment bucket.

• Language preference is selected at sign-on and can't be updated within the console.
• Product notifications, updates and offers can't be enabled on the communication preferences page.
• Personalization based on your Google Cloud console activity is unsupported.
• The Transparency and Control Center page is unavailable.

• Due to the limitations of Cloud Billing for Workforce Identity Federation , billing related support is accessible only to the organization's administrator through the Google Cloud account used to set up the billing account.
• Workforce Identity Federation users can upload—but not download—support case-related files. These files are visible to the Support Engineers who handle your cases.
• Contact details (e.g. Email Address) cannot be changed for Workforce Identity Federation users once interaction with Support has started.
• Workforce Identity Federation users cannot create cases using the live chat support channel.

• The IAM permission run.routes.invoke , which manages access to Cloud Run service endpoints, doesn't support Workforce Identity Federation. Enable Identity-Aware Proxy for Cloud Run to use it.
• Cloud Run doesn't support Workload Identity Federation. To allow access, use service account impersonation .

• The IAM permission run.routes.invoke , which manages access to Cloud Run service endpoints, doesn't support Workforce Identity Federation. Enable Identity-Aware Proxy for Cloud Run to use it.
• Cloud Run doesn't support Workload Identity Federation. To allow access, use service account impersonation .

• The App Engine Cron Jobs tab isn't available for Workforce Identity Federation users.
• The App Engine option in the target type configuration isn't available for Workforce Identity Federation users.

• The Help Assistant isn't supported.
• IAM database authentication for user logins isn't supported for Cloud SQL for MySQL or Cloud SQL for PostgreSQL databases.

• Viewing object details requires uniform bucket-level access to be enabled for the bucket.
• Process with Cloud Run functions isn't supported.
• Scan with Cloud Data Loss Prevention isn't supported.

• Identity federation with all Cloud Storage APIs is supported only for uniform bucket-level access buckets. Identity federation access to buckets with fine-grained access control lists (ACLs) is rejected.
• Although all users and workloads can use existing signed URLs , identity federation users and workloads cannot generate signed URLs.
• Identity federation users and workloads cannot use object change notification .

• App Engine queues: Since App Engine queues (queues that are created using a queue.yaml or queue.xml file) contain only tasks with App Engine targets, tasks in these queues aren't supported.
• Regular queues: For regular Cloud Tasks queues, tasks with HTTP targets are supported. Tasks with App Engine targets aren't supported (even though the queue isn't an App Engine queue).

• Image import from and export to a Cloud Storage bucket requires uniform bucket-level access to be enabled for the bucket.
• Bare Metal Solution isn't supported.

• In Add principals to the Google Cloud console & APIs , the Group ID text field doesn't support autocomplete or provide validation for Workforce Identity Federation users.
• For Workforce Identity Federation users, Google Groups are identified by their IDs rather than their names.

• Dataplex Explore workbench doesn't support Workforce Identity Federation.
• Scheduled scripts and notebooks through explore workbench don't support Workforce Identity Federation.
• Secure view doesn't support Workforce Identity Federation.

• Workforce Identity Federation users can perform create, view, update, and delete operations in Cluster, Jobs, and Batches list pages. Workflows, Autoscaling policies, and component exchange aren't available to Workforce Identity Federation.
• Cluster create functionality is available, except for Dataproc on GKE cluster creation, Dataproc Compute Engine cluster with personal authentication, or with Component Gateway enabled.
• The Output section in the Batch and Job detail page isn't available for Workforce Identity Federation users.
• The Recommend Alert section in the Cluster and Job list page isn't available for Workforce Identity Federation users.

• Dataproc on GKE
• Dataproc Personal Cluster Authentication
• Dataproc Service Account based Secure Multi-tenancy

• Security Rules don't support Workforce Identity Federation.
• Key Visualizer doesn't support Workforce Identity Federation.

• When you log into any external (GKE Enterprise) clusters, the option Use your Google identity isn't available for Workforce Identity Federation.
• When you create or attach any external (GKE Enterprise) clusters, you won't automatically be added as an administrator for Workforce Identity Federation.

• Cloud Marketplace contains links to Google domains that might not support Workforce Identity Federation.
• The Launch button is disabled for all VM products that use Deployment Manager because Deployment Manager doesn't support Workforce Identity Federation.
• SaaS sign-up and SSO login don't support Workforce Identity Federation.
• Producer Portal doesn't support Workforce Identity Federation.
• Request Procurement doesn't support Workforce Identity Federation.
• Service Catalog doesn't support Workforce Identity Federation.

• Exporting Total Cost of Ownership Reports (TCO Reports) isn't supported for Workforce Identity Federation users.
• Exporting assets isn't supported for Workforce Identity Federation users.

• The Name column within the IAM table doesn't show display names for Google identities.
• When adding new principals to allow policies, the Add principals text field supports only autocompletion for service accounts.
• The Add exempted principal text field in the Audit Logs page supports only autocompletion for service accounts.

• In the Applications tab, the Method column is disabled, and users cannot use external identities for authorization.
• In the Applications tab, App Engine resources cannot be listed.
• The Go to OAuth configuration item in the more_vert action menu isn't available.
• In the Applications tab, on-premises connectors cannot be added or listed.

• Continuous deployment with Cloud Build doesn't support Workforce Identity Federation.
• Registering a domain with Cloud Domains doesn't support Workforce Identity Federation.

• Memorystore for Redis
• Memorystore for Redis Cluster
• Memorystore for Memcached
• Memorystore for Valkey

The following Policy Intelligence features have limitations for Workforce Identity Federation users who use the Google Cloud Workforce Identity Federation console:

• Policy Troubleshooter : Workforce Identity Federation users can't troubleshoot access in the console (federated).
• Policy Analyzer : Workforce Identity Federation users can't analyze access in the console (federated).
• Policy Simulator : Workforce Identity Federation users can't simulate changes to an allow policy within the console (federated).
• IAM Recommender : Workforce Identity Federation users can't view recommendations in the console (federated).

The following Policy Intelligence features have API limitations for federated identities:

• Policy Troubleshooter : Federated identities can't check the membership of Google groups in allow and deny policies, or the membership of Cloud Identity accounts (domains) in deny policies. When federated identities call the iam.troubleshoot method, role bindings and deny rules that contain groups or domains have an access result of Unknown , unless the role binding or deny rule also explicitly includes the principal.

• When calling the analyzeIamPolicy or the analyzeIamPolicyLongrunning method, federated identities might receive incomplete analysis results because of the following:

  • Federated identities can't check the membership of Google groups in allow policies. As a result, when federated identities analyze access for a principal, the query results don't include permissions and roles that the principal has due to their membership in a group.
  • When analyzing access, federated identities can't enable the expand-groups option.

  Federated identities can't use the following API methods:

  • analyzeMove
• Policy Simulator : Federated identities can't use the Policy Simulator API ( policysimulator.googleapis.com ).
• Activity Analyzer : Federated identities can't use the Policy Analyzer API ( policyanalyzer.googleapis.com ).
• IAM Recommender : Federated identities can't use the Recommender API ( recommender.googleapis.com ).

• Multi-factor authentication through email cannot be configured by Workforce Identity Federation users. For assistance, contact sales .
• The demonstration website in Cloud Shell isn't supported for Workforce Identity Federation users.

• Workforce Identity Federation users can only view and operate on the organization for which Workforce Identity Federation was configured. Other organizations to which the users are added are not displayed in the Google Cloud console.
• Wait times for certain operations to be reflected in the UI are long—for example, creating a project or folder.

• User events information is hidden for Workforce Identity Federation users.
• Merchant Center accounts are not supported for workforce federation users.
• Serving configs analytics and usage count are hidden for Workforce Identity Federation users.
• Model data requirements are hidden for Workforce Identity Federation users.

• UpdateCatalog
• ImportCompletionData
• TuneModel
• ImportProducts
• PurgeProducts
• ImportUserEvents
• ImportUserEvents
• PurgeUserEvents
• RejoinUserEvents

• Identity federation users must sign in through the Secure Source Manager instance web interface before running any of the following commands:
  • Git CLI commands
  • API calls to data plane endpoints
• Identity federation users must sign in through the Secure Source Manager instance web interface after every session expiry to continue using Git SSH CLI commands with user SSH keys.

• A new Secure Source Manager instance must be created to use Workforce Identity Federation. Existing instances can't be updated.
• Workforce identity pool providers used for Secure Source Manager must provide google.subject and google.email attribute mappings.
• You can only use your federated identity to log in to a Secure Source Manager instance that is configured to use Workforce Identity Federation.
• Email notifications from Secure Source Manager are not supported for Workforce Identity Federation configured instances.

• Exporting findings to a CSV file
• Exporting findings to Cloud Storage
• Send feedback button
• Google SecOps export settings cannot be managed in the federated environment, so, in the Continuous Exports page, the Google SecOps banner is unavailable.
• Warning dialog communicating that the enablement state is inherited by default in the Service Enablement page
• The Security posture service cannot be managed using Google Cloud console.

1. Add a service account to domain owners using Site Verification API .
2. Impersonate this service account to create a managed service.

• Vertex AI agents creation and preview aren't supported.
• Google Drive data store creation isn't supported.

• Vertex AI Workbench managed notebooks ( Deprecated ) doesn't support Workforce Identity Federation.
• Vertex AI Workbench user-managed notebooks ( Deprecated ) doesn't support Workforce Identity Federation.

• Access policies
• Ingress and egress rules in service perimeters

• v1alpha APIs aren't available to federated identities.
• VPC Service Controls supports only specific Workforce Identity Federation and Workload Identity Federation principal identifiers . You can use these principal identifiers to configure identity groups and third-party identities in ingress and egress rules .