Security best practices (original) (raw)
Security best practices
Workflows provides severalsecurity features that you can use. This page describes some security best practices to keep in mind when using Workflows to avoid unintentionally exposing your resources to vulnerabilities.
- Follow general networking and security best practices.
- Create a new service account and grant it only the Identity and Access Management (IAM) roles that contain the minimum permissions required by your workflow. You should not use the default service account since it is automatically granted the highly privileged Editor basic role which includes a large number of permissions.
- Create your workflow using Terraformso that you can store your environment's configuration as code in a repository.
- Use customer-managed encryption keys so that your workflow and associated data at rest are protected using an encryption key that only you can access.
- Set up a service perimeter with VPC Service Controlsto mitigate data exfiltration risks.
- Use Secret Manager to secure and store sensitive datasuch as API keys, passwords, and certificates. You can use a Workflows connector to access Secret Manager within a workflow and simplify the integration for you.
- Use Cloud Tasks to manage delivery ratesand use Cloud Scheduler to execute workflows on a recurring schedule. By automating and parameterizing the deployment and execution of your workflows, you ensure that you can repeatedly and consistently run your services, and also eliminate inconsistencies between environments such as testing, staging, and production. Note that Workflows doesn't ensure exactly-once processing of duplicate requests from Cloud Tasks.
What's next
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-06-15 UTC.