Microsoft Learn
learn.microsoft.com › en-us › entra › workload-id › workload-identity-federation
Workload Identity Federation - Microsoft Entra Workload ID | Microsoft Learn
You use workload identity federation to configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google.
Google
docs.cloud.google.com › iam › identity and access management (iam) › workload identity federation
Workload Identity Federation | Identity and Access Management (IAM) | Google Cloud Documentation
You can use Workload Identity Federation with workloads that authenticate using X.509 client certificates; that run on Amazon Web Services (AWS) or Azure; on-premises Active Directory; deployment services, such as GitHub and GitLab; and with ...
Workload Identity Federation
As of now, Azure Data Factory (ADF) does not natively support Workload Identity Federation (WIF) for Service Principal authentication in Linked Services or Web Activities. The supported authentication methods for Service Principal in ADF are limited to client secret or certificate only—this ... More on learn.microsoft.com
1
0
October 10, 2025Question regarding workload identity federation direct access option
I’m sure there is a permissions side panel for cloud run services, however what’s stopping you from using gcloud or terraform? https://cloud.google.com/run/docs/securing/managing-access#service-add-principals gcloud run services add-iam-policy-binding SERVICE_NAME \ --member=PRINCIPAL \ --role=ROLE More on reddit.com
5
1
September 29, 2025Workload Identity Federation (WIF) is one such gem, enabling secure, keyless authentication
Thanks for sharing. The last part with recommendations for GCP caught my attention. If there are other suggestions from the broader community around WIF, we're always open to listening. More on reddit.com
32
48
May 13, 2025SSH to GCP VM from GitHub Actions using Workload Identity Federation
I have documented a similar use case in chapter 2 of my PCSE book using this example. Have you tried this approach? https://github.com/google-github-actions/auth/blob/main/README.md More on reddit.com
4
4
December 18, 2024Videos
01:02:19
Workload Identity and Federation: Authentication without using ...
05:14
Workload Identity Federation In Azure DevOps - YouTube
Azure DevOps Workload Identity Federation with Azure Overview. ...
12:11
Stop Struggling—The Easiest Way to Get Secure GCP Access from ...
01:45
Why use workload identity federation? - YouTube
25:40
How to Setup Google Cloud Workload Identity Federation for GitHub ...
Snowflake Documentation
docs.snowflake.com › en › user-guide › workload-identity-federation
Workload identity federation | Snowflake Documentation
Developers of multi-tenant SaaS applications who want to issue OpenID Connect (OIDC) Federation ID tokens to individual workloads that are running on their platform so that each customer workload can authenticate to Snowflake as a dedicated user. Workload identity federation (WIF) is a service-to-service authentication method that lets workloads, such as applications, services, or containers, authenticate with Snowflake using their cloud provider’s native identity system, such as AWS Identity and Access Management (AWS IAM) roles, Microsoft Entra ID, and Google Cloud service accounts to get an attestation that Snowflake can use and validate.
Microsoft Learn
learn.microsoft.com › en-us › entra › workload-id › workload-identity-federation-considerations
Workload identity federation for app considerations - Microsoft Entra Workload ID | Microsoft Learn
For more information on the scenarios enabled by federated identity credentials, see workload identity federation overview. Applies to: applications and user-assigned managed identities · Anyone with permissions to create an app registration and add a secret or certificate can add a federated ...
Google Cloud
cloud.google.com › workforce-identity-federation
Workforce Identity Federation | Google Cloud
Migrate quickly with solutions for SAP, VMware, Windows, Oracle, and other workloads. ... Discovery and analysis tools for moving to the cloud. ... Certifications for running SAP applications and SAP HANA.
CyberArk
docs.cyberark.com › mis-saas › vcs-platform › serviceaccounts › c-about-workload-identity-federation
What is workload identity federation? - Machine Identity Security Docs
This means your application proves its identity to the IDP and receives a token, which it can then use to access other services. This method increases security by minimizing the risk associated with stolen credentials and reduces the management overhead typically associated with handling secrets.
CyberArk
docs.cyberark.com › mis-saas › vaas › integrations › gcp › gcp-workload-identity
Workload Identity Federation - Built-In Identity Provider authentication - Machine Identity Security Docs
gcloud iam workload-identity-pools create <your-identity-pool-id> \ --location="global" \ --description="<Venafi Workload Identity Pool for Federated Identities>" \ --display-name="Venafi WIF Pool" See Manage workload identity pools and providers for more details. ... Sign in to Certificate Manager - SaaS.
Google
docs.cloud.google.com › iam › identity and access management (iam) › configure workload identity federation with other identity providers
Configure Workload Identity Federation with other identity providers | Identity and Access Management (IAM) | Google Cloud Documentation
In workload identity federation, do the following: Create an asymmetric key pair for your workload identity pool provider. Download a certificate file that contains the public key.
Microsoft Learn
learn.microsoft.com › en-us › answers › questions › 5581159 › workload-identity-federation
Workload Identity Federation - Microsoft Q&A
October 10, 2025 - As of now, Azure Data Factory (ADF) does not natively support Workload Identity Federation (WIF) for Service Principal authentication in Linked Services or Web Activities. The supported authentication methods for Service Principal in ADF are limited to client secret or certificate only—this is confirmed by the official documentation for connectors like Azure Blob Storage (https://learn.microsoft.com/en-us/azure/data-factory/connector-azure-blob-storage#service-principal-authentication ) and the ARM template schema (https://learn.microsoft.com/en-us/azure/templates/microsoft.datafactory/factories/linkedservices ), which only accept "ServicePrincipalKey" or "ServicePrincipalCert" as credential types.
Azure Docs
docs.azure.cn › en-us › entra › workload-id › workload-identity-federation-considerations
Workload identity federation for app considerations | Azure Docs
March 18, 2026 - For more information on the scenarios enabled by federated identity credentials, see workload identity federation overview. Applies to: applications and user-assigned managed identities · Anyone with permissions to create an app registration and add a secret or certificate can add a federated ...
Microsoft Learn
learn.microsoft.com › en-us › azure › azure-arc › kubernetes › conceptual-workload-identity
Workload identity federation in Azure Arc-enabled Kubernetes (preview) - Azure Arc | Microsoft Learn
Workload identity federation lets you configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as Kubernetes.
Reddit
reddit.com › r/googlecloud › question regarding workload identity federation direct access option
r/googlecloud on Reddit: Question regarding workload identity federation direct access option
September 29, 2025 -
Hi,
I am trying to implement the concept of " workload identity federation" in GCP for GitHub workloads which are accessing GCP resources.
Can anyone please clarify below question regarding the "direct access" option.
For direct access option ,GCP Documentation gave the example of cloud storage bucket (https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines#direct-resource) and asked to go to "permissions " page of the bucket and add the required role for principal.
However, if it is a cloud run service or app engine service ,it does not have permission page, how do we proceed in that case..can we give the role for the principal in the IAM page itself.
Top answer 1 of 3
1
I’m sure there is a permissions side panel for cloud run services, however what’s stopping you from using gcloud or terraform? https://cloud.google.com/run/docs/securing/managing-access#service-add-principals gcloud run services add-iam-policy-binding SERVICE_NAME \ --member=PRINCIPAL \ --role=ROLE
2 of 3
1
Have a look at this for WIF + Github Actions https://github.com/terraform-google-modules/terraform-example-foundation/blob/main/0-bootstrap/github.tf.example That repo has has example github workflows you can copy.
Reddit
reddit.com › r/googlecloud › workload identity federation (wif) is one such gem, enabling secure, keyless authentication
r/googlecloud on Reddit: Workload Identity Federation (WIF) is one such gem, enabling secure, keyless authentication
May 13, 2025 -
Google Cloud Platform (GCP) offers a robust set of tools, but some of its most powerful features remain underutilized due to lackluster marketing and sparse documentation. Workload Identity Federation (WIF) is one such gem, enabling secure, keyless authentication for external systems like GitHub Actions to access GCP APIs without the risks of long-lived credentials like service account keys.
https://medium.com/@rasvihostings/gcp-workload-identity-federation-1a0be28722d4
GitHub
github.com › MicrosoftDocs › entra-docs › blob › main › docs › workload-id › workload-identity-federation-create-trust.md
entra-docs/docs/workload-id/workload-identity-federation-create-trust.md at main · MicrosoftDocs/entra-docs
Select Certificates & secrets in the left nav pane, select the Federated credentials tab, and select Add credential. Select the Other issuer scenario from the dropdown menu. Specify the following fields (using a software workload running in Google Cloud as an example): Name is the name of the federated credential, which can't be changed later. Subject identifier: must match the sub claim in the token issued by the external identity provider.
Author MicrosoftDocs
Nhimg
nhimg.org › workload-identity-federation
Workload identity federation
Workload Identity Federation is an innovative approach to managing identities across multiple cloud environments. It allows organizations to authenticate and authorize workloads without relying on traditional credentials, such as usernames and ...
Google Cloud
cloud.google.com › iam › identity and access management (iam) › best practices for using workload identity federation
Best practices for using Workload Identity Federation | Identity and Access Management (IAM) | Google Cloud Documentation
Depending on how you configure the workload identity pool and its providers, the same external identity might be represented as multiple different IAM principals, or several external identities could map to the same IAM principal. Such ambiguities might allow bad actors to launch spoofing attacks. The following section describes best practices that help you avoid ambiguous mappings, and reduce the risk of spoofing threats. Best practices: Use attribute conditions when federating with GitHub or other multi-tenant identity providers.
To The New
tothenew.com › home › modern authentication with azure workload identity federation
Modern authentication with Azure workload identity federation | TO THE NEW Blog
June 30, 2025 - Use Case: Kubernetes with Federated Credentials Federated identity allows Kubernetes workloads (AKS, EKS, GKE, or self-managed clusters) to securely access Azure services such as Blob Storage, Postgres or Key Vault by trading tokens through Entra ID—...
Aembit
aembit.io › blog › what-identity-federation-means-for-workloads-in-cloud-native-environments
Workload Identity Federation for Cloud-Native Environments
3 weeks ago - Workloads operate with ephemeral access based on verified identity assertions. No credentials are stored in code, pipeline configurations or environment variables. Unlike a secrets manager, which centralizes storage but still requires distributing the secret to the workload, federation means the workload never handles a persistent credential at all.
Palo Alto Networks
docs.paloaltonetworks.com › next-gen-trust-security › next-gen-trust-security › about-vaas › integrations-overview › cloud-providers-overview › gcp › gcp-workload-identity-azure
Workload Identity Federation - Azure Identity Provider authentication
March 10, 2026 - In your app, go to Certificates & secrets. Click New client secret, provide a description, and select an expiration. Copy and save the secret value. ... In the GCP console, go to APIs & services > Library. ... Use the Workload Identity Federation - Azure Identity Provider authentication permissions ...