Shoot Workload Identity

Configure access to infrastructure accounts via workload identity instead of static credentials

  less than a minute  

Shoot Workload Identity

WorkloadIdentity is a resource that allows workloads to be presented before external systems by giving them identities managed by Gardener. As WorkloadIdentitys do not directly contain credentials we gain the ability to create Shoots without the need of preliminary exchange of credentials. For that to work users should establish trust to the Gardener Workload Identity Issuer in advance. The issuer URL can be read from the Gardener Info ConfigMap.

lightbulb-on-outline

Tip

Shoots that were previously using Secrets as authentication method can also be migrated to use WorkloadIdentity. As the credentialsRef field of CredentialsBinding is immutable, one would have to create a new CredentialsBinding that references a WorkloadIdentity and set the .spec.credentialsBindingName field of the Shoot to refer to the newly created CredentialsBinding.

As of now WorkloadIdentity is supported for AWS, Azure and GCP. For detailed explanation on how to enable the feature, please consult the provider extension specific documentation: