Workload identity
Give a component a platform-issued identity and it can authenticate to AWS, GCP, Vault, and each other with short-lived tokens — no cloud keys or shared secrets stored anywhere.
What it is
Opt a component into workload identity and High becomes an OIDC issuer for it. The agent delivers a short-lived, automatically-rotated token as a file inside the container. Because the token is a standard OIDC JWT signed by High and verifiable against a public key set, external systems that trust the High issuer will accept it — so your workload assumes an AWS role, reads a GCP secret, or logs into Vault without any long-lived credential shipped in your config, image, or environment.
The token's subject identifies the exact workload:
spiffe://<your-hub-domain>/<org>/<project>/<stage>/<component>
so you write access policies against a stable, hierarchical identity.
Opt in
Add an identity block to the component and list the audiences the token is for (the external system that will verify it):
components:
worker:
image: ...
identity:
audiences: ["sts.amazonaws.com"]
On the next deploy the agent injects these environment variables:
| Variable | Value |
|---|---|
HIGH_IDENTITY_TOKEN_FILE |
path to the token file (read it fresh each time — it rotates) |
HIGH_IDENTITY_ISSUER |
the High issuer URL |
HIGH_IDENTITY_SUBJECT |
this workload's SPIFFE subject |
HIGH_IDENTITY_AUDIENCE |
the audiences you configured |
Read the token from HIGH_IDENTITY_TOKEN_FILE on each use, not once at startup — it is refreshed in place well before it expires, and a fresh read always gives a valid token.
Federate to a cloud (example: AWS)
Register the High issuer once as an OIDC identity provider, then let a role trust your workload's subject.
```
Provider URL: https://<your-hub-domain>
Audience: sts.amazonaws.com
``````json
{
"Effect": "Allow",
"Principal": { "Federated": "arn:aws:iam::<acct>:oidc-provider/<your-hub-domain>" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"<your-hub-domain>:aud": "sts.amazonaws.com",
"<your-hub-domain>:sub": "spiffe://<your-hub-domain>/<org>/<project>/<stage>/<component>"
}
}
}
```The same pattern works for GCP Workload Identity Federation, Azure federated credentials, HashiCorp Vault (JWT auth method, bound_audiences + bound_subject), and MinIO/S3 STS — each just needs the issuer URL and the subject to match.
How it stays safe
- Short-lived. Tokens live about an hour and rotate automatically; a leaked token ages out on its own.
- Placement-gated. High mints a token only for a workload that is actually deployed on the requesting node — a node can't obtain another workload's identity.
- Undeploy revokes. Removing the stage stops the refresh; outstanding tokens expire within the hour.
- No stored secrets. There is no cloud key to leak — the trust is the signature and the short lifetime.
The one thing to treat as a stable contract is your hub domain: it is the token issuer, so changing it invalidates the trust you configured in external systems.