Back to glossary

Workload Identity

A mechanism that allows cloud workloads (like pods in Kubernetes) to authenticate with other cloud services using their own identity, rather than shared secrets.

Categorycloud

Overview

Workload Identity (e.g., Google Cloud Workload Identity, AWS IAM Roles for Service Accounts - IRSA) provides a secure way for applications running in containers to access cloud resources. It maps a service-specific identity (like a Kubernetes Service Account) to a cloud IAM role.

How it Works

The application requests a token from a local identity service. The cloud provider verifies the application's identity and issues a temporary token with the permissions of the assigned IAM role.

Benefits

  • Least Privilege: Each workload only has the specific permissions it needs.
  • No Shared Secrets: Eliminates the need to manage and rotate long-lived API keys or service account keys.
  • Auditability: Actions can be traced back to a specific workload instance.

Related Terms

Cloud Identity and Access ManagementService AccountManaged Identity