You use workload identity federation to configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google.

With Workload Identity Federation, you can use Identity and Access Management (IAM) to grant IAM roles to principals that are based on federated identities in a workload identity pool.

Workload identity federation (WIF) is a service-to-service authentication method that lets workloads, such as applications, services, or containers, authenticate with Snowflake using their cloud provider’s native identity system, such as AWS Identity and Access Management (AWS IAM) roles, ...

Workload Identity Federation, or WIF, is a way to authenticate non-GCP systems, such as GitHub Actions, GitLab CI/CD, Bitbucket Pipelines, and other third-party CI/CD tools, with Google Cloud services without using long-lived service account keys.

September 5, 2025 - With workload identity federation, external workloads authenticate to HCP without storing any secret keys. After you federate workload identity, your workload sends its trusted identity token to HCP and retrieves an HCP access token when it ...

Workload identity federation (WIF) allows your applications to securely authenticate with cloud services without having to manage and secure long-lived credentials (like passwords or API keys). Instead, it uses short-lived tokens obtained from a trusted Identity Provider (IdP).

3 weeks ago - Unlike a secrets manager, which centralizes storage but still requires distributing the secret to the workload, federation means the workload never handles a persistent credential at all.

When you configure a federated identity credential, there are several important pieces of information to provide: issuer and subject are the key pieces of information needed to set up the trust relationship. The combination of issuer and subject must be unique on the app. When the external software workload requests Microsoft identity platform to exchange the external token for an access token, the issuer and subject values of the federated identity credential are checked against the issuer and subject claims provided in the external token.

Using workload identity federation allows you to access Azure Active Directory (Azure AD) protected resources without needing to manage secrets.

March 18, 2026 - When you configure a federated identity credential, there are several important pieces of information to provide: issuer and subject are the key pieces of information needed to set up the trust relationship. The combination of issuer and subject must be unique on the app. When the external software workload requests Microsoft identity platform to exchange the external token for an access token, the issuer and subject values of the federated identity credential are checked against the issuer and subject claims provided in the external token.

If your workload calls an API endpoint that has a limitation, you can instead use service account impersonation. In this case, the principal is the Google Cloud service account, which acts as the identity. You grant access to the service account on the resource. You can grant access to a federated identity directly on resources by using the Google Cloud console or the gcloud CLI.

In this case, the principal is the federated user. Some Google Cloud products have Google Cloud API limitations. If your workload calls an API endpoint that has a limitation, you can instead use service account impersonation. In this case, the principal is the Google Cloud service account, which acts as the identity.

March 9, 2025 - Often with Azure, managed identities handle auth requirements between services, but they are not supported for non-Azure based callers. This is where workload identity federation comes in, allowing us to define a trust relationship between Entra ID and an external identity provider.

To authenticate to Google Cloud, you can let the workload exchange its environment-specific credentials for short-lived Google Cloud credentials by using Workload Identity Federation.

June 24, 2025 - In essence, Workload Identity Federation enables VMs to access resources without needing traditional credentials, like usernames and passwords. Instead, it relies on a trust relationship between an identity provider and the resource provider.

The federated identity credential ... (IdP). You can then configure an external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform....

January 30, 2026 - Workload identity federation lets cloud-hosted infrastructure in providers like Microsoft Azure, Google Cloud Platform, Amazon Web Services, or GitHub Actions authenticate to a tailnet or the Tailscale API using provider-native identity tokens instead of Tailscale auth keys or OAuth clients.

Workload identity federation lets you configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as Kubernetes.