Highdocs
Deploy/Workload identity

Workload identity

Give a component a platform-issued identity and it can authenticate to AWS, GCP, Vault, and each other with short-lived tokens — no cloud keys or shared secrets stored anywhere.

What it is

Opt a component into workload identity and High becomes an OIDC issuer for it. The agent delivers a short-lived, automatically-rotated token as a file inside the container. Because the token is a standard OIDC JWT signed by High and verifiable against a public key set, external systems that trust the High issuer will accept it — so your workload assumes an AWS role, reads a GCP secret, or logs into Vault without any long-lived credential shipped in your config, image, or environment.

The token's subject identifies the exact workload:

spiffe://<your-hub-domain>/<org>/<project>/<stage>/<component>

so you write access policies against a stable, hierarchical identity.

Opt in

Add an identity block to the component and list the audiences the token is for (the external system that will verify it):

components:
  worker:
    image: ...
    identity:
      audiences: ["sts.amazonaws.com"]

On the next deploy the agent injects these environment variables:

Variable Value
HIGH_IDENTITY_TOKEN_FILE path to the token file (read it fresh each time — it rotates)
HIGH_IDENTITY_ISSUER the High issuer URL
HIGH_IDENTITY_SUBJECT this workload's SPIFFE subject
HIGH_IDENTITY_AUDIENCE the audiences you configured

Read the token from HIGH_IDENTITY_TOKEN_FILE on each use, not once at startup — it is refreshed in place well before it expires, and a fresh read always gives a valid token.

Federate to a cloud (example: AWS)

Register the High issuer once as an OIDC identity provider, then let a role trust your workload's subject.

```
Provider URL: https://<your-hub-domain>
Audience:     sts.amazonaws.com
```
```json
{
  "Effect": "Allow",
  "Principal": { "Federated": "arn:aws:iam::<acct>:oidc-provider/<your-hub-domain>" },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringEquals": {
      "<your-hub-domain>:aud": "sts.amazonaws.com",
      "<your-hub-domain>:sub": "spiffe://<your-hub-domain>/<org>/<project>/<stage>/<component>"
    }
  }
}
```

The same pattern works for GCP Workload Identity Federation, Azure federated credentials, HashiCorp Vault (JWT auth method, bound_audiences + bound_subject), and MinIO/S3 STS — each just needs the issuer URL and the subject to match.

How it stays safe

  • Short-lived. Tokens live about an hour and rotate automatically; a leaked token ages out on its own.
  • Placement-gated. High mints a token only for a workload that is actually deployed on the requesting node — a node can't obtain another workload's identity.
  • Undeploy revokes. Removing the stage stops the refresh; outstanding tokens expire within the hour.
  • No stored secrets. There is no cloud key to leak — the trust is the signature and the short lifetime.

The one thing to treat as a stable contract is your hub domain: it is the token issuer, so changing it invalidates the trust you configured in external systems.