HashiCorp Vault 1.15 adopts Microsoft Workload Identity Federation

Microsoft’s primary method for managing identities by workload has been Pod identity. However, the company’s Pod identity technology and workflows are being deprecated and will not be supported after December 2023. Microsoft will continue to support identity workflows with its Workload Identity Federation (WIF) product, which was released as part of Vault 1.15 to deepen Vault’s integration with MS Azure.

In this post, we’ll take a deeper look at the advantages and caveats of WIF.

»What is Workload Identity Federation (WIF)

In Azure, workload identities are assigned to software workloads such as an application, service, script, or container, to authenticate and access other services and resources. WIF makes it easier for developers to access Azure resources from applications and services operating in Kubernetes or other cloud providers by removing the need for secrets in some scenarios. Developers can configure Azure AD applications and services to trust tokens issued by other identity providers, such as HashiCorp Vault. The tokens can then be leveraged to access resources in those applications.

»Identity federation versus secrets

Developers creating applications that require secrets face several questions:

Where to store secrets?

• Many secrets continue to be stored in an insecure manner, checked into repos or shared within collaboration tools. To securely manage secrets, developers need to leverage a vault.

How to mitigate password leakage?

• It’s not enough to store your secrets securely. Secrets should be set to expire so they get rotated regularly.

How to reduce or eliminate service downtime associated with secrets rotation?

• Developers need to leverage a management tool that facilitates secrets rotation while reducing the risk of downtime.

WIF resolves these concerns and removes the need for developers to deal with the burden of secrets management; storing secrets securely and rotating them regularly. The secrets are managed by the Azure platform, simplifying the developer experience. However, workload identities have a few limitations:

• Only 20 federated credentials can be added to an identity. If more than 20 are required, you must use more identities.
• Federated tokens must be signed with RS256.
• Managed workload identities in certain regions will not support federated credentials, see the Microsoft documents page for the updated list.

»Learn more about WIF

Microsoft’s Workload Identity Federation will continue to provide developers with a powerful tool to secure their applications and services. To learn more about workload identities, please visit our developer documentation.