Workload Identity
Definition
Workload Identity is a security mechanism that allows applications running on cloud platforms to authenticate and authorize themselves to access resources without embedding sensitive credentials within the application code. It leverages the cloud provider’s identity and access management (IAM) services to assign and manage permissions dynamically, ensuring that workloads can securely interact with other services by using short-lived, automatically rotated credentials.
Secure Settings Example
# Kubernetes Service Account with Workload Identity on GKE
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-workload-identity-sa
annotations:
iam.gke.io/gcp-service-account: my-gcp-service-account@my-project.iam.gserviceaccount.com
Insecure Settings Example
# Kubernetes Pod with hardcoded credentials
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: my-container
image: my-image
env:
- name: AWS_ACCESS_KEY_ID
value: "AKIAIOSFODNN7EXAMPLE"
- name: AWS_SECRET_ACCESS_KEY
value: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"