Workload Identity Federation
Definition
Workload Identity Federation is a security mechanism that allows cloud workloads to authenticate and access resources without the need for long-lived credentials. It leverages identity federation to trust external identity providers, enabling workloads to assume roles and obtain temporary credentials dynamically. This approach enhances security by reducing the risk of credential leakage and simplifies credential management.
Secure Settings Example
# Example configuration for Google Cloud Workload Identity Federation
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMWorkloadIdentityPool
metadata:
name: my-workload-identity-pool
spec:
displayName: "My Workload Identity Pool"
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMWorkloadIdentityPoolProvider
metadata:
name: my-oidc-provider
spec:
workloadIdentityPoolRef:
name: my-workload-identity-pool
oidc:
issuerUri: "https://accounts.example.com"
allowedAudiences:
- "my-audience"
Insecure Settings Example
# Example of insecure configuration with overly permissive settings
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMWorkloadIdentityPoolProvider
metadata:
name: insecure-oidc-provider
spec:
workloadIdentityPoolRef:
name: insecure-workload-identity-pool
oidc:
issuerUri: "https://accounts.example.com"
allowedAudiences:
- "*"