Safeguard
Identity Security

Workload identity federation

What is workload identity federation? A precise breakdown of keyless cloud authentication, GitHub Actions OIDC, and short-lived credentials replacing static API keys.

Karan Patel
Cloud Security Engineer
8 min read

Workload identity federation is a method for granting a non-human identity — a CI/CD pipeline, a container, a serverless function — temporary access to cloud resources by trusting an external identity provider instead of storing a long-lived cloud credential. So what is workload identity federation, precisely? It's a trust relationship: your cloud provider (AWS, GCP, Azure) is configured to accept signed tokens issued by an external identity provider (like GitHub Actions, GitLab CI, or a Kubernetes cluster) and exchange them, at request time, for short-lived, scoped cloud credentials. No static access key ever has to exist. The workload proves who it is using a cryptographically signed token tied to its specific run — a job ID, a repository, a branch — and the cloud provider validates that token against a pre-configured trust policy before issuing temporary permissions. This is the architecture behind "keyless" deployments and it's rapidly becoming the default for secure CI/CD.

What is workload identity federation and why does it exist?

Workload identity federation exists to eliminate long-lived, static secrets from machine-to-machine authentication. Before federation, a GitHub Actions workflow that needed to deploy to AWS would store an IAM access key and secret in repository secrets — a credential valid indefinitely, usable from anywhere, and invisible once leaked until someone noticed abnormal API activity. Federation replaces that model entirely. Instead of storing a credential, the workload authenticates itself with a short-lived identity token minted by its own runtime environment (GitHub's OIDC provider, GCP's service account impersonation, Azure's managed identity), and the cloud provider exchanges that token for credentials scoped to a specific role, with an expiry measured in minutes. The token itself is worthless outside its narrow context — it's audience-restricted, time-bound, and tied to claims like repository name, branch, and workflow file path that the cloud provider checks before trusting it.

How does GitHub Actions OIDC federation actually work?

GitHub Actions OIDC federation works by having GitHub's runners request a signed JSON Web Token from GitHub's own OIDC provider at job runtime, which the cloud provider then verifies against a configured trust policy. Concretely: a workflow adds permissions: id-token: write, and during the job, the actions/checkout or cloud-specific action (like aws-actions/configure-aws-credentials) requests a token from https://token.actions.githubusercontent.com. That token contains claims — repo:my-org/my-repo:ref:refs/heads/main, the workflow name, the run ID — signed with a key GitHub rotates and publishes via a JWKS endpoint. On the AWS side, an IAM OIDC identity provider is configured to trust token.actions.githubusercontent.com, and an IAM role's trust policy restricts sts:AssumeRoleWithWebIdentity to tokens whose sub claim matches a specific repository and branch — for example, only allowing the deploy-prod role to be assumed by tokens from repo:acme/infra:ref:refs/heads/main. AWS validates the signature, checks the claims against the trust policy, and returns temporary STS credentials valid for as little as fifteen minutes. A real-world version of this: a team migrating off a long-lived AWS_ACCESS_KEY_ID stored in GitHub secrets reconfigures their deploy workflow to use aws-actions/configure-aws-credentials@v4 with a role-to-assume ARN — the moment that merges, there's no longer a static AWS credential anywhere in the repository, its secrets store, or its audit logs to steal.

What is keyless cloud authentication, and how is it different from API keys?

Keyless cloud authentication is the practical outcome of workload identity federation: no persistent access key, password, or shared secret is provisioned, stored, or rotated at any point in the workflow. Traditional API key authentication requires generating a credential once, storing it somewhere (a secrets manager, an environment variable, a CI variable), and trusting that storage layer to keep it safe indefinitely — the key remains valid until someone manually revokes it, which in practice often means years. Keyless authentication inverts this: the credential is generated fresh for every single execution, derived from an identity token that's minted, consumed, and discarded within the same job run. There's nothing sitting in a vault for an attacker to exfiltrate, and nothing that shows up in a secret-scanning sweep of your repository history, because it was never written down. This is why keyless authentication has become the standard recommendation for CI/CD-to-cloud connections at organizations like Google (which pioneered Workload Identity Federation for GCP) and why AWS and Azure both shipped equivalent OIDC-based mechanisms shortly after GitHub Actions made federated pipelines mainstream.

How do short-lived cloud credentials reduce breach impact compared to static keys?

Short-lived cloud credentials reduce breach impact by shrinking the window during which a stolen credential is useful, often to minutes instead of indefinitely. Consider the 2023 pattern of attackers scraping public GitHub repositories and CI logs for exposed AWS keys: a static key harvested from a misconfigured workflow or an accidentally-committed .env file remains exploitable until a human notices and rotates it — incident response timelines routinely stretch into days. A federated, short-lived credential minted via AssumeRoleWithWebIdentity typically expires in 15 minutes to an hour and is non-renewable without a fresh, validated identity token. If an attacker somehow intercepts one mid-flight (already a much harder feat, since it never touches disk or a secrets store), its blast radius is capped by both time and the narrow IAM role it was scoped to. This is a structural risk reduction, not just an operational convenience: it converts credential theft from a standing compromise into, at worst, a brief window tied to a single job execution.

What does federated workload identity look like beyond CI/CD pipelines?

Federated workload identity extends beyond CI/CD to any non-human identity that needs to prove itself to a cloud provider without a stored secret — Kubernetes pods, serverless functions, and cross-cloud services all use the same pattern. A pod running in a GKE cluster can use its Kubernetes service account token, federated through GCP Workload Identity, to assume a Google service account and call BigQuery without a downloaded JSON key file ever existing on disk. A Lambda function can assume a cross-account role using its execution role's temporary credentials rather than embedding a key for a partner AWS account. Even multi-cloud setups use this: a workload running in Azure can federate its managed identity token to authenticate against AWS STS, letting a single pipeline deploy across both clouds without maintaining separate static credentials for each. The common thread is always the same trust triangle — a workload identity provider that vouches for the caller, a relying cloud provider that validates the token against an explicit trust policy, and a credential that expires almost as fast as it's issued.

What are the trade-offs and failure modes of workload identity federation?

The main trade-off is that federation shifts risk from credential storage to trust-policy configuration, which means a misconfigured or overly broad trust policy can silently reopen the exact exposure federation was meant to close. If an IAM trust policy validates only the iss (issuer) claim and forgets to scope the sub claim to a specific repository and branch, any workflow across an entire GitHub organization — including a fork's pull-request workflow — could potentially assume a highly privileged role. This has been a documented real-world misconfiguration: teams enabling OIDC federation broadly but leaving the trust condition as a wildcard, effectively granting deploy-level access to any repository under the organization. Federation also requires the identity provider itself to be trustworthy and available — if GitHub's OIDC token endpoint has an outage, federated deployments relying on it stall, whereas a static (if riskier) key would have kept working. These aren't arguments against federation; they're reasons its trust policies need the same rigor as any other access control and should be reviewed as code, not configured once and forgotten.

How Safeguard Helps

Safeguard gives security and platform teams visibility into exactly how workload identity federation is configured across their software supply chain — surfacing GitHub Actions OIDC federation trust policies, flagging overly permissive sub claim conditions, and detecting workflows that still rely on long-lived static cloud credentials instead of short-lived, federated ones. Safeguard continuously scans CI/CD configurations and cloud IAM trust relationships to catch the exact misconfigurations described above — wildcard trust conditions, missing branch restrictions, and forgotten static keys sitting alongside newer federated setups — before they become an incident. For teams migrating from API keys to keyless cloud authentication, Safeguard maps which pipelines still depend on stored secrets, prioritizes them by blast radius, and verifies that new federated identity configurations actually enforce the narrow trust boundaries they're intended to, closing the gap between adopting workload identity federation and adopting it correctly.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.