Meta Description: Replace static cloud credentials with OIDC workload identity — eliminate key rotation entirely for Lambda, GKE, and EKS workloads in production.
What Is Cloud IAM → Authentication vs Authorization → IAM Roles vs Policies → AWS IAM Deep Dive → GCP Resource Hierarchy IAM → Azure RBAC Scopes → OIDC Workload Identity
TL;DR
- Workload identity federation replaces static cloud access keys with short-lived tokens tied to runtime identity — no key to rotate, no secret to leak
- The OIDC token exchange pattern is consistent across AWS (IRSA / Pod Identity), GCP (Workload Identity), and Azure (AKS Workload Identity) — learn one, translate the others
- AWS EKS: use Pod Identity for new clusters; IRSA is the pattern for existing ones — both eliminate static keys
- GCP GKE:
--workload-poolat cluster level +roles/iam.workloadIdentityUserbinding on the GCP service account - Azure AKS: federated credential on a managed identity +
azure.workload.identity/use: "true"pod label - Cross-cloud federation works: an AWS IAM role can call GCP APIs without a GCP key file on the AWS side
- Enforce IMDSv2 everywhere; pin OIDC trust conditions to specific service account names; give each workload its own identity
The Big Picture
WORKLOAD IDENTITY FEDERATION — BEFORE AND AFTER
── STATIC CREDENTIALS (the broken model) ────────────────────────────────
IAM user created → access key generated
↓
Key distributed to pods / CI / servers → stored in Secrets, env vars, .env
↓
Valid indefinitely — never expires on its own
↓
Rotation is manual, painful, deferred ("there's a ticket for that")
↓
Key proliferates across environments — you lose track of every copy
↓
Leaked key → unlimited blast radius until someone notices and revokes it
── WORKLOAD IDENTITY FEDERATION (the current model) ─────────────────────
No key created. No key distributed. No key to rotate.
Workload starts → requests signed JWT from its native IdP
│ (EKS OIDC issuer, GitHub Actions, GKE metadata server)
↓
JWT carries workload claims: namespace, service account, repo, instance ID
↓
Cloud STS / token endpoint validates JWT signature + trust conditions
↓
Short-lived credential issued (AWS STS: 1–12h | GCP/Azure: ~1h)
↓
Credential expires automatically — nothing to clean up
↓
Token stolen → usable for 1 hour maximum, audience-bound, not reusable
Workload identity federation is the architectural answer to static credential sprawl. The workload’s proof of identity is its runtime environment — the cluster it runs in, the repository it belongs to, the service account it uses. The cloud provider never issues a persistent secret. This episode covers how that exchange works across all three clouds and Kubernetes.
Introduction
Workload identity federation eliminates static cloud credentials by replacing them with short-lived tokens that the runtime environment generates and the cloud provider validates against a registered trust relationship. No key to distribute, no rotation schedule to maintain, no proliferation to track.
A while back I was reviewing a Kubernetes cluster that had been running in production for about two years. The team had done good work — solid app code, reasonable cluster configuration. But when I started looking at how pods were authenticating to AWS, I found what I find in roughly 60% of environments I look at.
Twelve service accounts. Twelve access key pairs. Keys created 6 to 24 months ago. Stored as Kubernetes Secrets. Mounted into pods as environment variables. Never rotated because “the app would need to be restarted” and nobody owned the rotation schedule. Two of the keys belonged to AWS IAM users who no longer worked at the company — the users had been deactivated, but the access keys were still valid because in AWS, access keys live independently of console login status.
When I asked who was responsible for rotating these, the answer I got was: “There’s a ticket for that.”
There’s always a ticket for that.
The engineering problem here isn’t that the team was careless. It’s that static credentials are fundamentally unmanageable at scale. Workload identity removes the problem at its root.
Why Static Credentials Are the Wrong Model for Machines
Before getting into solutions, let me be precise about why this is a security problem, not just an operational inconvenience.
Static credentials have four fundamental failure modes:
They don’t expire. An AWS access key created in 2022 is valid in 2026 unless someone explicitly rotates it. GitGuardian’s 2024 data puts the average time from secret creation to detection at 328 days. That’s almost a year of exposure window before anyone even knows.
They lose origin context. When an API call arrives at AWS with an access key, the authorization system can tell you what key was used — not whether it was used by your Lambda function, by a developer debugging something, or by an attacker using a stolen copy. Static credentials are context-blind.
They proliferate invisibly. One key, distributed to a team, copied into three environments, cached on developer laptops, stored in a CI/CD pipeline, pasted into a config file in a test environment that got committed. By the time you need to rotate it, you don’t know all the places it lives.
Rotation is operationally painful. Creating a new key, updating every place the old key lives, removing the old key — while ensuring nothing breaks during the transition — is a coordination exercise that organizations consistently defer. Every month the rotation doesn’t happen is another month of accumulated risk.
Workload identity solves all four by replacing persistent credentials with short-lived tokens that are generated from the runtime environment and verified by the cloud provider against a registered trust relationship.
The OIDC Exchange — What’s Actually Happening
All three major cloud providers have converged on the same underlying mechanism: OIDC token exchange.
Workload (pod, GitHub Actions runner, EC2 instance, on-prem server)
│
│ 1. Request a signed JWT from the native identity provider
│ (EKS OIDC server, GitHub's token.actions.githubusercontent.com,
│ GKE metadata server, Azure IMDS)
▼
Native IdP issues a JWT. It contains claims about the workload:
- What repository triggered this CI run
- What Kubernetes namespace and service account this pod uses
- What EC2 instance ID this request came from
│
│ 2. Workload presents the JWT to the cloud STS / federation endpoint
▼
Cloud IAM evaluates:
- Is the JWT signature valid? (verified against the IdP's public keys)
- Does the issuer match a registered trust relationship?
- Do the claims match the conditions in the trust policy?
│
│ 3. If all checks pass: short-lived cloud credentials issued
│ (AWS: temporary STS credentials, expiry 1-12 hours)
│ (GCP: OAuth2 access token, expiry ~1 hour)
│ (Azure: access token, expiry ~1 hour)
▼
Workload calls cloud API with short-lived credentials.
Credentials expire. Nothing to clean up. Nothing to rotate.
No static secret is stored anywhere. The workload’s identity is its runtime environment — the cluster it runs in, the repository it belongs to, the service account it uses. If someone steals the short-lived token, it expires in an hour. If someone tries to use a token for a different resource than it was issued for, the audience claim doesn’t match and it’s rejected.
AWS: IRSA and Pod Identity for EKS
IRSA — The Original Pattern
IRSA (IAM Roles for Service Accounts) federates a Kubernetes service account identity with an AWS IAM role. Each pod’s service account is the proof of identity; AWS issues temporary credentials in exchange for the OIDC JWT.
# Step 1: get the OIDC issuer URL for your EKS cluster
OIDC_ISSUER=$(aws eks describe-cluster \
--name my-cluster \
--query "cluster.identity.oidc.issuer" \
--output text)
# Step 2: register this OIDC issuer with IAM
aws iam create-open-id-connect-provider \
--url "${OIDC_ISSUER}" \
--client-id-list sts.amazonaws.com \
--thumbprint-list "$(openssl s_client -connect ${OIDC_ISSUER#https://}:443 2>/dev/null \
| openssl x509 -fingerprint -noout | cut -d= -f2 | tr -d ':')"
# Step 3: create an IAM role with a trust policy scoped to a specific service account
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
OIDC_ID="${OIDC_ISSUER#https://}"
cat > irsa-trust.json << EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${OIDC_ID}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_ID}:sub": "system:serviceaccount:production:app-backend",
"${OIDC_ID}:aud": "sts.amazonaws.com"
}
}
}]
}
EOF
aws iam create-role \
--role-name app-backend-s3-role \
--assume-role-policy-document file://irsa-trust.json
aws iam put-role-policy \
--role-name app-backend-s3-role \
--policy-name AppBackendPolicy \
--policy-document file://app-backend-policy.json
# Step 4: annotate the Kubernetes service account with the role ARN
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-backend
namespace: production
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/app-backend-s3-role
The EKS Pod Identity webhook injects two environment variables into any pod using this service account: AWS_WEB_IDENTITY_TOKEN_FILE pointing to a projected token, and AWS_ROLE_ARN. The AWS SDK reads these automatically. The application doesn’t know any of this is happening — it just calls S3 and it works, using credentials that were never stored anywhere and expire automatically.
The trust policy’s sub condition is the security boundary. system:serviceaccount:production:app-backend means: only pods in the production namespace using the app-backend service account can assume this role. A pod in a different namespace, even with the same service account name, gets a different sub claim and the assumption fails.
EKS Pod Identity — The Simpler Modern Approach
AWS released Pod Identity as a simpler alternative to IRSA. No OIDC provider setup, no manual trust policy with OIDC conditions:
# Enable the Pod Identity agent addon on the cluster
aws eks create-addon \
--cluster-name my-cluster \
--addon-name eks-pod-identity-agent
# Create the association — this replaces the OIDC trust policy setup
aws eks create-pod-identity-association \
--cluster-name my-cluster \
--namespace production \
--service-account app-backend \
--role-arn arn:aws:iam::123456789012:role/app-backend-s3-role
Same result, less ceremony. For new clusters, Pod Identity is the path I’d recommend. IRSA remains important to understand for the many existing clusters already using it.
IAM Roles Anywhere — For On-Premises Workloads
Not everything runs in Kubernetes. For on-premises servers and workloads outside AWS, IAM Roles Anywhere issues temporary credentials to servers that present an X.509 certificate signed by a trusted CA:
# Register your internal CA as a trust anchor
aws rolesanywhere create-trust-anchor \
--name "OnPremCA" \
--source sourceType=CERTIFICATE_BUNDLE,sourceData.x509CertificateData="$(base64 -w0 ca-cert.pem)"
# Create a profile mapping the CA to allowed roles
aws rolesanywhere create-profile \
--name "OnPremServers" \
--role-arns "arn:aws:iam::123456789012:role/OnPremAppRole" \
--trust-anchor-arns "${TRUST_ANCHOR_ARN}"
# On the on-prem server — exchange the certificate for AWS credentials
aws_signing_helper credential-process \
--certificate /etc/pki/server.crt \
--private-key /etc/pki/server.key \
--trust-anchor-arn "${TRUST_ANCHOR_ARN}" \
--profile-arn "${PROFILE_ARN}" \
--role-arn "arn:aws:iam::123456789012:role/OnPremAppRole"
The server’s certificate (managed by your internal PKI or an ACM Private CA) is the proof of identity. No access key distributed to the server — just a certificate that your CA signed and that you can revoke through your existing certificate revocation infrastructure.
GCP: Workload Identity for GKE
For GKE clusters, Workload Identity is enabled at the cluster level and creates a bridge between Kubernetes service accounts and GCP service accounts:
# Enable Workload Identity on the cluster
gcloud container clusters update my-cluster \
--workload-pool=my-project.svc.id.goog
# Enable on the node pool (required for the metadata server to work)
gcloud container node-pools update default-pool \
--cluster=my-cluster \
--workload-metadata=GKE_METADATA
# Create the GCP service account for the workload
gcloud iam service-accounts create app-backend \
--project=my-project
SA_EMAIL="[email protected]"
# Grant the GCP SA the permissions it needs
gcloud storage buckets add-iam-policy-binding gs://app-data \
--member="serviceAccount:${SA_EMAIL}" \
--role="roles/storage.objectViewer"
# Create the trust relationship: K8s SA → GCP SA
gcloud iam service-accounts add-iam-policy-binding "${SA_EMAIL}" \
--role=roles/iam.workloadIdentityUser \
--member="serviceAccount:my-project.svc.id.goog[production/app-backend]"
# Annotate the Kubernetes service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-backend
namespace: production
annotations:
iam.gke.io/gcp-service-account: [email protected]
When the pod makes a GCP API call using ADC (Application Default Credentials), the GKE metadata server intercepts the credential request. It validates the pod’s Kubernetes identity, checks the IAM binding, and returns a short-lived GCP access token. The GCP service account key file never exists. There’s nothing to protect, nothing to rotate, nothing to leak.
Azure: Workload Identity for AKS
Azure’s workload identity for Kubernetes replaced the older AAD Pod Identity approach — which required a DaemonSet, had known TOCTOU vulnerabilities, and was operationally fragile. The current implementation uses the OIDC pattern:
# Enable OIDC issuer and workload identity on the AKS cluster
az aks update \
--name my-aks \
--resource-group rg-prod \
--enable-oidc-issuer \
--enable-workload-identity
# Get the OIDC issuer URL for this cluster
OIDC_ISSUER=$(az aks show \
--name my-aks --resource-group rg-prod \
--query "oidcIssuerProfile.issuerUrl" -o tsv)
# Create a user-assigned managed identity for the workload
az identity create --name app-backend-identity --resource-group rg-identities
CLIENT_ID=$(az identity show --name app-backend-identity -g rg-identities --query clientId -o tsv)
PRINCIPAL_ID=$(az identity show --name app-backend-identity -g rg-identities --query principalId -o tsv)
# Grant the identity the access it needs
az role assignment create \
--assignee-object-id "$PRINCIPAL_ID" \
--role "Storage Blob Data Reader" \
--scope /subscriptions/SUB_ID/resourceGroups/rg-prod/providers/Microsoft.Storage/storageAccounts/appstore
# Federate: trust the K8s service account from this cluster
az identity federated-credential create \
--name aks-app-backend-binding \
--identity-name app-backend-identity \
--resource-group rg-identities \
--issuer "${OIDC_ISSUER}" \
--subject "system:serviceaccount:production:app-backend" \
--audience "api://AzureADTokenExchange"
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-backend
namespace: production
annotations:
azure.workload.identity/client-id: "CLIENT_ID_HERE"
---
apiVersion: v1
kind: Pod
metadata:
labels:
azure.workload.identity/use: "true" # triggers token injection
spec:
serviceAccountName: app-backend
containers:
- name: app
image: my-app:latest
# Azure SDK DefaultAzureCredential picks up the injected token automatically
Cross-Cloud Federation — When AWS Talks to GCP
The same OIDC mechanism works cross-cloud. An AWS Lambda or EC2 instance can call GCP APIs without any GCP service account key on the AWS side:
# GCP side: create a workload identity pool that trusts AWS
gcloud iam workload-identity-pools create "aws-workloads" --location=global
gcloud iam workload-identity-pools providers create-aws "aws-provider" \
--workload-identity-pool="aws-workloads" \
--account-id="AWS_ACCOUNT_ID"
# Bind the specific AWS role to the GCP service account
gcloud iam service-accounts add-iam-policy-binding [email protected] \
--role=roles/iam.workloadIdentityUser \
--member="principalSet://iam.googleapis.com/projects/GCP_PROJ_NUM/locations/global/workloadIdentityPools/aws-workloads/attribute.aws_role/arn:aws:sts::AWS_ACCOUNT:assumed-role/MyAWSRole"
The AWS workload presents its STS-issued credentials to GCP’s token exchange endpoint. GCP verifies the AWS signature, checks the attribute mapping (only MyAWSRole from that AWS account), and issues a short-lived GCP access token. No GCP service account key is ever distributed to the AWS side.
The Threat Model — What Workload Identity Doesn’t Solve
Workload identity dramatically reduces the attack surface, but it doesn’t eliminate it:
| Threat | What Still Applies | Mitigation |
|---|---|---|
| Token theft from the container filesystem | The projected token is readable if you have container filesystem access | Short TTL (default 1h); tokens are audience-bound — can’t use a K8s token to call Azure APIs |
| SSRF to metadata service | An SSRF vulnerability can fetch credentials from the metadata endpoint | Enforce IMDSv2 on AWS; use metadata server restrictions on GKE/AKS |
| Overpermissioned service account | Workload identity doesn’t enforce least privilege — the SA can still be over-granted | One SA per workload; review permissions against actual usage |
| Trust policy too broad | OIDC trust policy allows any service account in a namespace | Always pin to specific SA name in the sub condition |
The SSRF-to-metadata-service path deserves particular attention. IMDSv2 (mandatory in AWS by requiring a PUT to get a token before any metadata request) blocks most SSRF scenarios because a simple SSRF can only make GET requests. Enforce it:
# Enforce IMDSv2 at instance launch
aws ec2 run-instances \
--metadata-options HttpTokens=required,HttpPutResponseHopLimit=1
# Enforce org-wide via SCP — no instance can launch without IMDSv2
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"ec2:MetadataHttpTokens": "required"
}
}
}
⚠ Production Gotchas
╔══════════════════════════════════════════════════════════════════════╗
║ ⚠ GOTCHA 1 — Trust policy scoped to namespace, not service account ║
║ ║
║ A condition like "sub": "system:serviceaccount:production:*" ║
║ grants any pod in the production namespace the ability to assume ║
║ the role. A compromised or new workload in that namespace gets ║
║ access automatically. ║
║ ║
║ Fix: always pin the sub condition to the exact service account ║
║ name. "system:serviceaccount:production:app-backend" — not a glob. ║
╚══════════════════════════════════════════════════════════════════════╝
╔══════════════════════════════════════════════════════════════════════╗
║ ⚠ GOTCHA 2 — Shared service accounts across workloads ║
║ ║
║ Reusing one service account for multiple workloads saves setup ║
║ time and creates a lateral movement path. A compromised workload ║
║ that shares a service account with a payment processor has payment ║
║ processor permissions. ║
║ ║
║ Fix: one service account per workload. The overhead is low. ║
║ The blast radius reduction is significant. ║
╚══════════════════════════════════════════════════════════════════════╝
╔══════════════════════════════════════════════════════════════════════╗
║ ⚠ GOTCHA 3 — IMDSv1 still reachable after enabling IMDSv2 ║
║ ║
║ Enabling IMDSv2 on new instances doesn't affect existing ones. ║
║ The SCP approach enforces it at the org level going forward, but ║
║ existing instances need explicit remediation. ║
║ ║
║ Fix: audit existing instances for IMDSv1 exposure. ║
║ aws ec2 describe-instances --query ║
║ "Reservations[].Instances[?MetadataOptions.HttpTokens!='required']║
║ .[InstanceId,Tags]" ║
╚══════════════════════════════════════════════════════════════════════╝
Quick Reference
┌────────────────────────────────┬───────────────────────────────────────────────────────┐
│ Term │ What it means │
├────────────────────────────────┼───────────────────────────────────────────────────────┤
│ Workload identity federation │ OIDC-based exchange: runtime JWT → short-lived token │
│ IRSA │ IAM Roles for Service Accounts — EKS + OIDC pattern │
│ EKS Pod Identity │ Newer, simpler IRSA replacement — no OIDC setup │
│ GKE Workload Identity │ K8s SA → GCP SA via workload pool + IAM binding │
│ AKS Workload Identity │ K8s SA → managed identity via federated credential │
│ IAM Roles Anywhere │ AWS temp credentials for on-prem via X.509 cert │
│ IMDSv2 │ Token-gated AWS metadata service — blocks SSRF │
│ OIDC sub claim │ Workload's unique identity string — use for pinning │
│ Projected service account token│ K8s-injected JWT — the OIDC token pods present to AWS │
└────────────────────────────────┴───────────────────────────────────────────────────────┘
Key commands:
┌────────────────────────────────────────────────────────────────────────────────────────┐
│ # AWS — list OIDC providers registered in this account │
│ aws iam list-open-id-connect-providers │
│ │
│ # AWS — list Pod Identity associations for a cluster │
│ aws eks list-pod-identity-associations --cluster-name my-cluster │
│ │
│ # AWS — verify what credentials a pod is actually using │
│ aws sts get-caller-identity # run from inside the pod │
│ │
│ # AWS — audit instances missing IMDSv2 │
│ aws ec2 describe-instances \ │
│ --query "Reservations[].Instances[?MetadataOptions.HttpTokens!='required'] │
│ .[InstanceId]" --output text │
│ │
│ # GCP — verify workload identity binding on a GCP service account │
│ gcloud iam service-accounts get-iam-policy SA_EMAIL │
│ │
│ # GCP — list workload identity pools │
│ gcloud iam workload-identity-pools list --location=global │
│ │
│ # Azure — list federated credentials on a managed identity │
│ az identity federated-credential list \ │
│ --identity-name app-backend-identity --resource-group rg-identities │
└────────────────────────────────────────────────────────────────────────────────────────┘
Framework Alignment
| Framework | Reference | What It Covers Here |
|---|---|---|
| CISSP | Domain 5 — Identity and Access Management | Non-human identities dominate cloud environments; workload identity federation is the modern machine authentication pattern |
| CISSP | Domain 1 — Security & Risk Management | Static credential sprawl is a measurable, eliminable risk; workload identity removes it at the root |
| ISO 27001:2022 | 5.17 Authentication information | Managing machine credentials — workload identity replaces long-lived secrets with short-lived, environment-bound tokens |
| ISO 27001:2022 | 8.5 Secure authentication | OIDC token exchange is the secure authentication mechanism for machine identities |
| ISO 27001:2022 | 5.18 Access rights | Service account provisioning and deprovisioning — workload identity ties access to the runtime environment, not a stored secret |
| SOC 2 | CC6.1 | Workload identity federation is the preferred technical control for machine-to-cloud authentication in CC6.1 |
| SOC 2 | CC6.7 | Short-lived, audience-bound tokens restrict credential reuse across systems — addresses transmission and access controls |
Key Takeaways
- Static credentials for machine identities are the problem, not the solution — workload identity federation eliminates them at the root
- The OIDC token exchange pattern is consistent across AWS (IRSA/Pod Identity), GCP (Workload Identity), and Azure (AKS Workload Identity) — learn one, the others are a translation
- AWS EKS: use Pod Identity for new clusters; IRSA remains the pattern for existing ones — both eliminate static keys
- GCP GKE: Workload Identity enabled at cluster level, SA annotation at the K8s service account level
- Azure AKS: federated credential on the managed identity,
azure.workload.identity/use: "true"label on pods - Cross-cloud federation works — an AWS IAM role can call GCP APIs without a GCP key file
- Enforce IMDSv2 everywhere; pin OIDC trust conditions to specific service account names; apply least privilege to the underlying cloud identity
What’s Next
You’ve eliminated the static credential problem. The next question is: what happens when the IAM configuration itself is the vulnerability? AWS IAM privilege escalation goes into the attack paths — how iam:PassRole, iam:CreateAccessKey, and misconfigured trust policies turn IAM misconfigurations into full account compromise. If you’re designing or auditing cloud access control, you need to know these paths before an attacker finds them.
Next: AWS IAM Privilege Escalation: How iam:PassRole Leads to Full Compromise
Get EP08 in your inbox when it publishes → linuxcent.com/subscribe