Skip to main content
Workload Identity is a secure authentication method for CI/CD pipelines and external services using OpenID Connect (OIDC) tokens, eliminating the need for long-lived credentials. Unlike Service Accounts that require storing API keys as secrets, Workload Identity:
  • Uses short-lived tokens generated per job
  • Validates tokens against your CI/CD platform’s identity provider
  • Restricts access to specific repositories, branches, and workflows

Workspace vs Project Level

Workload identities can be created at two levels:
  • Workspace level — Has access governed by workspace IAM policies. Suitable for cross-project CI/CD workflows.
  • Project level — Scoped to a single project, following the principle of least privilege. Suitable for project-specific pipelines.

Supported Platforms