Workload Identity
Authenticate workloads without static credentials.
Workload Identity
Authenticate workloads without static credentials.
Workload identity APIs are not shipped in this repo.
Overview
Workload identity allows applications to authenticate based on their runtime identity rather than static secrets.
Supported platforms
Kubernetes
serviceAccountName: my-app
annotations:
qnsp.io/workload-identity: "enabled"
AWS
{
"type": "aws-iam",
"roleArn": "arn:aws:iam::123456789:role/my-app"
}
GCP
{
"type": "gcp-sa",
"serviceAccount": "my-app@project.iam.gserviceaccount.com"
}
Authentication flow
- Workload requests identity token from platform
- Token presented to QNSP
- QNSP validates token with platform
- QNSP issues scoped access token
- Workload accesses secrets
Configuration
For workloads running in Kubernetes, use a service account to obtain a QNSP access token (for example via auth-service service accounts) and pass the token to SDK/API calls.
Benefits
- No static credentials to manage
- Automatic rotation
- Platform-native security
- Audit trail of workload access