Worker identity federation?
(feature request)
Are there any plans to issue identity tokens to workers that can be used to authenticate to services outside of cloudflare?
E.g. when worker is run, cloudflare issues a jwt token signed by cloudflare, with the subject "worker/<accountid>/<workerid>"
Either have a general jwt with no aud, or allow a jwt binding to a subject, variable set in env
The purpose of this is for workload identity federation, similar to AWS iid, basically every cloud computing platform has its own equivalent.
The most similar thing to what I'm looking for I think is gitlab's runner oidc
https://about.gitlab.com/blog/oidc/
Every runner gets its own jwt tokens, and I can configure my external service to only be accessible to ci jobs from a specific gitlab project, even different access for different branches, the jwk keys are hosted by gitlab, multiple keys with different audiences
With this, I could add the token to a fetch request, and on the other end, I know the request came from code I trust, running on trusted cloudflare infrastructure
Yes it's possible for me to generate my own token in my worker, or generate a long lived token and store it as a secret.
the difference is the worker is making up its own identity, malicious code could lie, or even steal the key and run in an untrusted environment
Are there any plans to issue identity tokens to workers that can be used to authenticate to services outside of cloudflare?
E.g. when worker is run, cloudflare issues a jwt token signed by cloudflare, with the subject "worker/<accountid>/<workerid>"
Either have a general jwt with no aud, or allow a jwt binding to a subject, variable set in env
The purpose of this is for workload identity federation, similar to AWS iid, basically every cloud computing platform has its own equivalent.
The most similar thing to what I'm looking for I think is gitlab's runner oidc
https://about.gitlab.com/blog/oidc/
Every runner gets its own jwt tokens, and I can configure my external service to only be accessible to ci jobs from a specific gitlab project, even different access for different branches, the jwk keys are hosted by gitlab, multiple keys with different audiences
With this, I could add the token to a fetch request, and on the other end, I know the request came from code I trust, running on trusted cloudflare infrastructure
Yes it's possible for me to generate my own token in my worker, or generate a long lived token and store it as a secret.
the difference is the worker is making up its own identity, malicious code could lie, or even steal the key and run in an untrusted environment
about.gitlab.com
Learn a new method to authenticate using JWT to increase the security of CI/CD workflows.
Welcome to the official Cloudflare Developers server. Here you can ask for help and stay updated with the latest news
85,042Members
Resources
Was this page helpful?
