IAM principals

In Identity and Access Management (IAM) you control access for principals. A principal represent one or more identities that have authenticated to Trusted Cloud.

Use principals in your policies

To use principals in your policies, do the following:

  1. Configure identities that Trusted Cloud can recognize. Configuring identities is the process of creating identities that Trusted Cloud can recognize. You can configure identities for users and for workloads.

    To learn how to configure identities, see the following:

  2. Determine the principal identifier that you will use. The principal identifier is how you refer to a principal in your policies. This identifier can refer to a single identity or to a group of identities.

    The format that you use for the principal identifier depends on the following:

    • The type of principal
    • The type of the policy that you want to include the principal in

    To see the principal identifier format for each type of principal in each type of policy, see Principal identifiers.

    After you know the format of the identifier, you can determine the principal's unique identifier based on the attributes of the principal, such as the principal's email address.

  3. Include the principal's identifier in your policy. Add your principal to your policy, following the format of the policy.

    To learn about the different types of policies in IAM, see Policy types.

Support for principal types

Each IAM policy type supports a subset of the principal types that IAM supports. To see the principal types that are supported for each policy type, see Principal identifiers.

Principal types

IAM supports the following types of principals:

The following sections describe these principal types in more detail.

Service accounts

A service account is an account for an application or compute workload instead of an individual end user. When you run code that's hosted on Trusted Cloud, you specify a service account to use as the identity for your application. You can create as many service accounts as needed to represent the different logical components of your application.

For more information about service accounts, see Service accounts overview.

allAuthenticatedUsers

The value allAuthenticatedUsers is a special identifier that represents all service accounts.

This principal type doesn't include federated identities, which are managed by external identity providers (IdPs). To include federated identities, use one of the following choices:

Some resource types don't support this principal type.

allUsers

The value allUsers is a special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users.

Some resource types don't support this principal type.

Federated identities in a workforce identity pool

A federated identity in a workforce identity pool is a user identity that is managed by an external IdP and federated by using Workforce Identity Federation. You can use a specific identity in a workforce identity pool, or you can use certain attributes to specify a group of user identities in a workforce identity pool.

Federated identities in a workload identity pool

A federated identity in a workload identity pool is a workload identity that is managed by an external IdP and federated by using Workload Identity Federation. You can use a specific workload identity in a workload identity pool, or you can use certain attributes to specify a group of workload identities in a workload identity pool.

GKE Pods

Workloads running on GKE use Workload Identity Federation for GKE to access Trusted Cloud services. For more information about principal identifiers for GKE Pods, see Reference Kubernetes resources in IAM policies.

What's next