Managing workload identities
A workload identity provides a secure, auditable identity for automated processes, applications, or scripts. This identity is paired with a workload policy to define what it can access, its permissions, and for how long. This granular approach ensures that access is aligned with the workload’s requirements and operational context.
After you create a workload identity and a corresponding policy, onboard the workload. The workload uses its assigned identity to fetch temporary credentials, allowing it to access resources in cloud accounts with the permissions and time frame defined in the associated policy.
This topic walks you through the complete process of creating an identity, defining a policy, and onboarding your workload. Learn more about managing existing workloads in Managing existing workload identities and policies.
Create a workload identity
First, you need to create the identity that your application or script will use:
-
In the PingOne Privilege admin console, go to Workloads. Click Add New.
-
Select the cloud accounts you want the workload to be able to access. The options vary by cloud provider:
-
Amazon Web Services (AWS): Select one or more AWS accounts.
-
Google Cloud Platform (GCP): Select one or more GCP projects.
-
Azure: Define the API scope by selecting the appropriate endpoint URL:
-
Select https://graph.microsoft.com to access Azure resources.
-
Select https://management.azure.com to manage Azure AD roles.
-
-
-
Click Create to save the workload identity.
|
After creating a workload identity, you must create a workload policy to grant it access to specific resources. Without a policy, the identity can’t access anything. |
Creating a workload policy
A workload policy defines the specific access rights for a workload identity. Each policy specifies the cloud resources a workload can access, the IAM roles granted, and the time frame during which the permissions are valid.
Follow these steps to create a policy that grants a workload access to resources within a specific cloud account.
-
In the PingOne Privilege admin console, go to Directory > Workloads.
-
Select the workload identity for which you want to create a policy.
-
In the Workload Information view, find the target cloud account. Click Add Policy.
-
In the resource selection view, add resources to the policy request queue:
-
Use the Resource Type filter or the search bar to find the resources you want to add.
-
Click a specific resource to manage its permissions.
-
Search for the desired identity and access management (IAM) role and click the Add to assign it to the resource.
-
Add more roles to the resource as needed.
-
Click Add to Request Queue.
-
Repeat these steps to add more resources from the same cloud account to the queue.
-
-
Add all necessary resources. Click Continue.
-
In the policy finalization form:
-
Enter a descriptive Policy Name.
-
Define the access duration by setting the Start Time and End Time.
-
Add any relevant comments.
-
-
Click Submit to create the policy.
If a workload is associated with multiple cloud accounts, you must create a separate policy for each account.
Onboard a workload
After creating the identity and policy, configure your workload to use them. The process involves configuring the workload to use an API key, fetching and decoding a temporary token, and then using the credentials from that token.
Configuring the workload to use an API key
Modify the workload to fetch short-lived credentials using its assigned API key and secret:
-
In the PingOne Privilege admin console, go to Workloads and select the target workload.
-
Copy the API key and secret associated with the workload.
-
Update the workload’s code or configuration to use the PingOne Privilege API endpoint with scripting automation or through a configurable plugin.
Fetching and decoding the access token
The workload uses its API key to get a temporary access token from PingOne Privilege. This token contains the short-lived cloud credentials.
Fetching the token
To fetch a temporary access token, submit a GET request to the following URL:
https://app.proxyon.cloud/pubapi/
<tenant_name>/v1/workloadtokens/
<namespace>/<workload_identity_name>
The request must include an Authorization header with the API key as the Bearer token.
Access tokens are valid for 60 minutes. The workload should renew the token by calling the GET API again before it expires.
Accessing cloud provider APIs
After the token is decoded, the workload can use the extracted credentials to access cloud provider APIs. The format of the credentials varies by provider.
Amazon Web Services (AWS)
The decoded token provides an Access Key ID, Access Secret, and Session Token. Use these credentials with the AWS CLI or SDK.
aws configure set aws_access_key_id <access_key>
aws configure set aws_secret_access_key <secret_key>
aws configure set aws_session_token <session_token>Managing existing workload identities and policies
Viewing a workload policy
-
In the PingOne Privilege admin console, go to Directory > Workloads.
-
Select the desired workload.
-
Click the Access Policy tab.
-
The policy view displays an access graph with the following details:
-
The workload name.
-
The cloud accounts associated with the workload.
-
The IAM roles granting access within each account.
-
The specific resources the workload can access.
-
Deleting a workload policy
-
In the PingOne Privilege admin console, go to Access Management > Policies.
-
Find and select the workload policy you want to remove from the list.
-
Click Delete. Confirm the action.
Deleting a workload identity
|
Deleting a workload identity is an irrevocable action. All access for the workload is immediately terminated. |
-
In the PingOne Privilege admin console, go to Directory > Workloads.
-
Find and select the workload identity you want to remove.
-
Click Delete and confirm the action.