Workload Identity - CI/CD Glossary Definition
Workload identity is the broad pattern of giving a running workload (a CI job, a pod, a function) its own verifiable identity so it can obtain credentials without an embedded secret. GCP Workload Identity Federation and Azure workload identity are named implementations.
How it differs from a service account key
A static service-account key is a secret that can leak and rarely rotates. Workload identity issues short-lived tokens bound to the actual workload, so there is no long-lived credential to steal.
In CI
GitHub Actions OIDC tokens are federated to a cloud workload identity so a deploy job assumes a role for the duration of the run only.
Related guides
OIDC Federation - CI/CD Glossary DefinitionOIDC Federation: OIDC federation lets a CI workflow exchange a short-lived OpenID Connect token for cloud cre…
Secret Rotation - CI/CD Glossary DefinitionSecret Rotation: Secret rotation is the practice of replacing credentials (tokens, keys, passwords) on a regu…
Least Privilege - CI/CD Glossary DefinitionLeast Privilege: Least privilege is the principle that an identity (user, service, or CI job) should hold onl…