Overview

Workspace vs Project Level
Supported Platforms

Workload Identity is a secure authentication method for CI/CD pipelines and external services using OpenID Connect (OIDC) tokens, eliminating the need for long-lived credentials. Unlike Service Accounts that require storing API keys as secrets, Workload Identity:

Uses short-lived tokens generated per job
Validates tokens against your CI/CD platform’s identity provider
Restricts access to specific repositories, branches, and workflows

Workspace vs Project Level

Workload identities can be created at two levels:

Workspace level — Has access governed by workspace IAM policies. Suitable for cross-project CI/CD workflows.
Project level — Scoped to a single project, following the principle of least privilege. Suitable for project-specific pipelines.

Supported Platforms

GitHub Actions

Configure OIDC authentication for GitHub Actions workflows

GitLab CI/CD

Configure OIDC authentication for GitLab CI/CD pipelines

Service Account Workload Identity for GitHub Actions

⌘I

Security

General

Workspace vs Project Level

Supported Platforms

GitHub Actions

GitLab CI/CD

Security

General

​Workspace vs Project Level

​Supported Platforms

GitHub Actions

GitLab CI/CD

Workspace vs Project Level

Supported Platforms