Workload Identity and Federation: Authentication without using Service Account Keys

Traditional approaches to cloud authentication often rely on static, long-lived service account keys. This practice poses significant security risks due to potential key leakage and the inherent difficulty of securely distributing and rotating those secrets. Workload Identity offers a better solution by dynamically associating strong identities with specific workloads (VMs, containers, or serverless) and automatically managing short-lived credentials. Combined with Identity Federation (BYO-ID) you can extend authorization policies across hybrid and multi-cloud deployments using your existing cloud-native identity providers.
This talk will walk through the basic fundamentals of Cloud Security and OpenID Connect, Workload Identity and Federation, and best practices for configuring cross-cloud IAM. Most of the material is orientated around Google Cloud and GKE, but some details on other cloud providers or services will also be included.
Bio:
Greg Bray is a Customer Engineer at Google Cloud, specializing in designing GKE, Service Mesh, and Serverless deployments. Previously Greg worked as an SRE at Reddit, Walmart Labs, and Stack Overflow.