Worker identity federation?
(feature request)
Are there any plans to issue identity tokens to workers that can be used to authenticate to services outside of cloudflare?
E.g. when worker is run, cloudflare issues a jwt token signed by cloudflare, with the subject "worker/<accountid>/<workerid>"
Either have a general jwt with no aud, or allow a jwt binding to a subject, variable set in env
The purpose of this is for workload identity federation, similar to AWS iid, basically every cloud computing platform has its own equivalent.
The most similar thing to what I'm looking for I think is gitlab's runner oidc
https://about.gitlab.com/blog/oidc/
Every runner gets its own jwt tokens, and I can configure my external service to only be accessible to ci jobs from a specific gitlab project, even different access for different branches, the jwk keys are hosted by gitlab, multiple keys with different audiences
With this, I could add the token to a fetch request, and on the other end, I know the request came from code I trust, running on trusted cloudflare infrastructure
Yes it's possible for me to generate my own token in my worker, or generate a long lived token and store it as a secret.
the difference is the worker is making up its own identity, malicious code could lie, or even steal the key and run in an untrusted environment
about.gitlab.com
Secure GitLab CI/CD workflows using OIDC JWT on a DevSecOps platform
Learn a new method to authenticate using JWT to increase the security of CI/CD workflows.
1 Reply
Also, ideally the token would include things like the git hash and the hash of all files present in the worker code (single hash, of the hashes of every file)
To even allow public attestation of the trustworthyness of a worker that claims to be from a public repo
Include as many useless bits of data about the worker and the node running the worker(obviously nothing sensitive or related to other customers or other workloads) and the code the worker is running and the account owning the worker in the token as you can
There are many use cases for this, and I don't think it can be too hard to make, as I've made similar things in the past, e.g. custom jwt identity for proxmox vms.
Another example of something similar would be k8s tokens injected into each pod