Skip to content
CI/CD Best Practices

Workload Identity

Workload Identity is the process of authenticating your CI workload to your cloud environment. This could be to access a storage bucket, deploy to a kubernetes cluster, read from a database or perform any number of actions in your cloud provider.

How to for Cloud providers

If you’re curious how Workload Identity gets the authentication info for your build, here’s a TLDR;

  1. Your build agent requests a JSON Web Token (an identity) from the OpenID Provider (your CI/CD provider).
  2. That identity is then given to the cloud provider.
  3. The cloud provider verifies the identity came from where it said it did.
  4. The cloud provider returns an authentication token for accessing its services.

Google Cloud Platform (GCP)

Amazon Web Services (AWS)

Microsoft Azure

How to for CI providers

CircleCI

Github Actions