Workload Identity Capability
Purpose: Define how services authenticate to GCP without static keys.
Why this capability exists
Workload Identity is described in both manifests and infrastructure docs. This page becomes the canonical contract and decision point.
Capability contract
Platform is responsible for:
- Creating and managing GSAs and IAM roles
- Creating KSA to GSA bindings
- Publishing naming and permission standards
Application teams are responsible for:
- Using the correct KSA in workload specs
- Requesting least-privilege access only
- Validating runtime access with explicit checks
Implementation flow
- Define required GCP permissions by use case
- Create or reuse target GSA
- Bind KSA to GSA
- Annotate workload to use KSA
- Verify token exchange and real API access
Source starting points
iot-manifests/docs/concepts/workload-identity.mdiot-manifests/docs/reference/security.mdiot-infrastructure/docs/concepts/iam-and-workload-identity.mdiot-infrastructure/docs/reference/infrastructure/service-accounts.md
Definition of done checklist
- [ ] No static service account key file in repo or image
- [ ] KSA to GSA mapping documented
- [ ] IAM roles scoped to least privilege
- [ ] Verification commands documented
- [ ] Failure modes documented (403, missing annotation, missing binding)