Workload identity federation without static keys
OIDC to AWS/GCP/Azure and killing long-lived cloud keys.
The single most effective cloud-identity upgrade is deleting your long-lived access keys. A key stored in a CI secret, a config file, or an env var is a bearer credential that never expires — copy it once and you own it forever. Workload identity federation replaces it with a short-lived token minted on demand, scoped to the exact workload that asked, and impossible to reuse after it expires.
How OIDC federation works
The CI system (or Kubernetes, or another cloud) acts as an OpenID Connect identity provider. When a job runs, the platform issues it a signed JWT describing who it is — which repository, which branch, which workflow. The job hands that token to the cloud STS endpoint, which verifies the signature against the IdP, checks the claims against a trust policy you wrote, and returns short-lived cloud credentials. No secret is ever stored: the token is minted fresh, is valid for minutes, and its claims are cryptographically bound to the real workload.
# Trust policy on the role the pipeline assumes. The condition pins the token# to ONE repo and ONE branch — a fork or another repo cannot assume it.{"Effect": "Allow","Principal": { "Federated": "arn:aws:iam::222222222222:oidc-provider/token.actions.githubusercontent.com" },"Action": "sts:AssumeRoleWithWebIdentity","Condition": {"StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" },"StringLike": { "token.actions.githubusercontent.com:sub": "repo:acme/api:ref:refs/heads/main" }}}# The workflow — note there are NO aws-access-key secrets anywhere:permissions:id-token: write # allow the job to request an OIDC tokencontents: readsteps:- uses: aws-actions/configure-aws-credentials@v4with:role-to-assume: arn:aws:iam::222222222222:role/gha-deployaws-region: eu-west-1
The same pattern on every platform
This is not an AWS-only trick. GCP calls it Workload Identity Federation, mapping an external OIDC/SAML identity to a service account with no downloaded key. Azure calls it Workload Identity federation for app registrations. Inside Kubernetes, IRSA (AWS) and Workload Identity (GKE/AKS) project a service-account token that pods exchange for cloud credentials. The mental model is identical everywhere: an attested identity is exchanged for a short-lived credential, and the static key ceases to exist.