Workload Identity

Workload Identity is the process of authenticating your CI workload to your cloud environment. This could be to access a storage bucket, deploy to a kubernetes cluster, read from a database or perform any number of actions in your cloud provider.

How to for Cloud providers

If you’re curious how Workload Identity gets the authentication info for your build, here’s a TLDR;

Your build agent requests a JSON Web Token (an identity) from the OpenID Provider (your CI/CD provider).
That identity is then given to the cloud provider.
The cloud provider verifies the identity came from where it said it did.
The cloud provider returns an authentication token for accessing its services.

Google Cloud Platform (GCP)

Offical documentation

Amazon Web Services (AWS)

Offical documentation

Creating an OIDC provider

Microsoft Azure

Offical documentation

Workload identity federation

How to for CI providers

CircleCI

Offical documentation

Authenticate jobs with cloud providers

Github Actions

Offical documentation

About security hardening with OpenID Connect

Continuous Integration

Continuous Delivery

Providers

Languages

Workload Identity

How to for Cloud providers

Google Cloud Platform (GCP)

Amazon Web Services (AWS)

Microsoft Azure

How to for CI providers

CircleCI

Github Actions