You use workload identity federation to configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google.

With Workload Identity Federation, you can use Identity and Access Management (IAM) to grant IAM roles to principals that are based on federated identities in a workload identity pool.

Workload identity federation (WIF) is a service-to-service authentication method that lets workloads, such as applications, services, or containers, authenticate with Snowflake using their cloud provider’s native identity system, such as AWS Identity and Access Management (AWS IAM) roles, ...

Workload Identity Federation, or WIF, is a way to authenticate non-GCP systems, such as GitHub Actions, GitLab CI/CD, Bitbucket Pipelines, and other third-party CI/CD tools, with Google Cloud services without using long-lived service account keys.

September 5, 2025 - Configure a workload identity provider when you want to create a trust relationship between HashiCorp Cloud Platform (HCP) and an external identity provider. This trust relationship is called federation.

Workload identity federation (WIF) allows your applications to securely authenticate with cloud services without having to manage and secure long-lived credentials (like passwords or API keys). Instead, it uses short-lived tokens obtained from a trusted Identity Provider (IdP).

When you configure a federated identity credential, there are several important pieces of information to provide: issuer and subject are the key pieces of information needed to set up the trust relationship. The combination of issuer and subject must be unique on the app. When the external software workload requests Microsoft identity platform to exchange the external token for an access token, the issuer and subject values of the federated identity credential are checked against the issuer and subject claims provided in the external token.

When you configure a federated identity credential, there are several important pieces of information to provide: issuer and subject are the key pieces of information needed to set up the trust relationship. The combination of issuer and subject must be unique on the app. When the external software workload requests Microsoft identity platform to exchange the external token for an access token, the issuer and subject values of the federated identity credential are checked against the issuer and subject claims provided in the external token.

Using workload identity federation allows you to access Azure Active Directory (Azure AD) protected resources without needing to manage secrets.

If your workload calls an API endpoint that has a limitation, you can instead use service account impersonation. In this case, the principal is the Google Cloud service account, which acts as the identity. You grant access to the service account on the resource. You can grant access to a federated identity directly on resources by using the Google Cloud console or the gcloud CLI.

2 weeks ago - Unlike a secrets manager, which centralizes storage but still requires distributing the secret to the workload, federation means the workload never handles a persistent credential at all.

To authenticate to Google Cloud, you can let the workload exchange its environment-specific credentials for short-lived Google Cloud credentials by using Workload Identity Federation.

In this case, the principal is the federated user. Some Google Cloud products have Google Cloud API limitations. If your workload calls an API endpoint that has a limitation, you can instead use service account impersonation. In this case, the principal is the Google Cloud service account, which acts as the identity.

Workload identity federation lets you configure a user-assigned managed identity or app registration in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as Kubernetes.

June 27, 2023 - For example, if the account name is “sa-sandbox-federation”, then the identifier will be: sa-sandbox-federation@<your-project-id>.iam.gserviceaccount.com ... Each cloud has its own method for connecting to Google Cloud, which you can read about here. In this walkthrough, we’re connecting from Azure which has several connectors, but we will use an OpenID (OIDC) connector because it’s more generic and portable. ... Next, create your Workload Identity Pool on Google Cloud, which will handle incoming connection requests, and a Provider that knows about your Azure environment.

January 30, 2026 - Workload identity federation lets cloud-hosted infrastructure in providers like Microsoft Azure, Google Cloud Platform, Amazon Web Services, or GitHub Actions authenticate to a tailnet or the Tailscale API using provider-native identity tokens instead of Tailscale auth keys or OAuth clients.

Depending on how you configure the workload identity pool and its providers, the same external identity might be represented as multiple different IAM principals, or several external identities could map to the same IAM principal. Such ambiguities might allow bad actors to launch spoofing attacks. The following section describes best practices that help you avoid ambiguous mappings, and reduce the risk of spoofing threats. Best practices: Use attribute conditions when federating with GitHub or other multi-tenant identity providers.

The federated identity credential ... (IdP). You can then configure an external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform....