Stay organized with collections
Save and categorize content based on your preferences.
Workflows provides several
security features that you can use. This
page describes some security best practices to keep in mind when using
Workflows to avoid unintentionally exposing your resources to
vulnerabilities.
Create a new service account and grant it
only the Identity and Access Management (IAM) roles that contain the minimum permissions
required by your workflow. You should not use the default service account since
it is automatically granted the highly privileged Editor basic role which
includes a large number of permissions.
Use Secret Manager to secure and store sensitive data
such as API keys, passwords, and certificates. You can use a
Workflows connector to access Secret Manager
within a workflow and simplify the integration for you.
Use Cloud Tasks to manage delivery rates
and use Cloud Scheduler to execute workflows on a recurring schedule.
By automating and parameterizing the deployment and execution of your workflows,
you ensure that you can repeatedly and consistently run your services, and
also eliminate inconsistencies between environments such as testing, staging,
and production. Note that Workflows doesn't ensure exactly-once
processing of duplicate requests from Cloud Tasks.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Security best practices\n\nWorkflows provides several\n[security features](/workflows/docs/security-overview) that you can use. This\npage describes some security best practices to keep in mind when using\nWorkflows to avoid unintentionally exposing your resources to\nvulnerabilities.\n\n- [Follow general networking and security best practices](/architecture/framework/security).\n\n- [Create a new service account](/workflows/docs/authentication) and grant it\n only the Identity and Access Management (IAM) roles that contain the minimum permissions\n required by your workflow. You should not use the default service account since\n it is automatically granted the highly privileged Editor basic role which\n includes a large number of permissions.\n\n- [Create your workflow using Terraform](/workflows/docs/create-workflow-terraform)\n so that you can store your environment's configuration as code in a repository.\n\n- [Use customer-managed encryption keys](/workflows/docs/use-cmek) so that your\n workflow and associated data at rest are protected using an encryption key that\n only you can access.\n\n- [Set up a service perimeter with VPC Service Controls](/workflows/docs/use-vpc-service-controls)\n to mitigate data exfiltration risks.\n\n- [Use Secret Manager to secure and store sensitive data](/workflows/docs/use-secret-manager)\n such as API keys, passwords, and certificates. You can use a\n Workflows connector to access Secret Manager\n within a workflow and simplify the integration for you.\n\n- [Use Cloud Tasks to manage delivery rates](/workflows/docs/create-http-task)\n and [use Cloud Scheduler to execute workflows on a recurring schedule](/workflows/docs/schedule-workflow).\n By automating and parameterizing the deployment and execution of your workflows,\n you ensure that you can repeatedly and consistently run your services, and\n also eliminate inconsistencies between environments such as testing, staging,\n and production. Note that Workflows doesn't ensure exactly-once\n processing of duplicate requests from Cloud Tasks.\n\nWhat's next\n-----------\n\n- [Google Cloud security best practices center](/security/best-practices)"]]
