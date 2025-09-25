Version: 18.x

The WorkloadIdentity resource is used to define the structure of an identity credentials that can be issued to workloads and the rules around what workloads it can be issued to.

It supports templating using attributes of the workload, such as the name of the Kubernetes namespace or service account, which allows the WorkloadIdentity resource to be used in a generic way for multiple distinct workloads.

kind: workload_identity version: v1 metadata: name: my-workload labels: example: foo spec: spiffe: id: /foo/bar/{{ join.kubernetes.pod.name }}/{{ join.kubernetes.service_account.name }} hint: An example hint x509: dns_sans: - example.com subject_template: common_name: my-common-name organization: my-organization organizational_unit: my-organizational-unit maximum_ttl: 3600s jwt: extra_claims: message: "Hello, {{strings.upper(user.name)}} !" foo: bar: [ "baz" , 1234 , " {{user.bot_instance_id}} " , true ] maximum_ttl: 300s rules: allow: - conditions: - attribute: join.kubernetes.pod.name eq: value: my-pod - attribute: join.kubernetes.namespace not_eq: value: kube-system

The WorkloadIdentity resource supports templating in certain fields, this allows you to customize elements of the workload identity credential issued to workloads with attested attributes.

For example, you can use templating to insert the name of the Kubernetes namespace and service account into the SPIFFE ID of the workload identity credential:

kind: workload_identity version: v1 metadata: name: my-kubernetes-workload spec: spiffe: id: /k8s/{{ workload.kubernetes.namespace }}/{{ workload.kubernetes.service_account }}

Would result in a SPIFFE ID of spiffe://example.teleport.sh/k8s/default/foo for a workload running in the default namespace with the service account foo .

When an attribute is specified in a template, this value must be present in the attributes of the workload in order for the workload identity credential to be issued. For example, if workload.kubernetes.namespace is used in a template, then a workload that is not running in Kubernetes would not be issued a credential.

The following fields within the WorkloadIdentity resource support templating:

spec.spiffe.id

spec.spiffe.hint

spec.spiffe.x509.dns_sans

spec.spiffe.x509.subject_template.common_name

spec.spiffe.x509.subject_template.organization

spec.spiffe.x509.subject_template.organizational_unit

spec.spiffe.jwt.extra_claims

You can find a full list of the supported attributes on the Attributes reference page.

The WorkloadIdentity resource's fields use Teleport's Predicate Language for templating, allowing you to apply text manipulation functions like strings.lower and regex.replace .

By default, a WorkloadIdentity resource can be used to issue a credential by any User or Bot that holds a role that with workload_identity_labels that match the labels on the WorkloadIdentity resource.

However, you can further restrict the issuance of credentials based on the attributes of the workload using the rules mechanism.

Each rule consists of either a Predicate Language expression or a set of conditions. When using the conditions form, all conditions within that rule must pass in order for the rule to be considered a pass. If you specify multiple rules, then at least one rule must pass in order for the WorkloadIdentity to be allowed to be issued.

For example, to restrict the issuance of a credential to only workloads running in the default namespace with the service account foo :

kind: workload_identity version: v1 metadata: name: rules-example spec: spiffe: id: /my-awesome-workload rules: allow: - expression: workload.kubernetes.namespace == "default" && workload.kubernetes.service_account == "foo"

Here's the same rule expressed using the conditions form:

kind: workload_identity version: v1 metadata: name: rules-example spec: spiffe: id: /my-awesome-workload rules: allow: - conditions: - attribute: workload.kubernetes.namespace eq: value: default - attribute: workload.kubernetes.service_account eq: value: foo

eq (equals) checks that the specified attribute equals the specified value:

kind: workload_identity version: v1 metadata: name: rules-example spec: spiffe: id: /my-awesome-workload rules: allow: - conditions: - attribute: workload.kubernetes.namespace eq: value: default

not_eq (not equals) checks that the specified attribute does not equal the specified value:

kind: workload_identity version: v1 metadata: name: rules-example spec: spiffe: id: /my-awesome-workload rules: allow: - conditions: - attribute: workload.kubernetes.namespace not_eq: value: default

in (includes) checks that the specified attribute equals one of the specified values:

kind: workload_identity version: v1 metadata: name: rules-example spec: spiffe: id: /my-awesome-workload rules: allow: - conditions: - attribute: workload.kubernetes.namespace in: values: [ default , kube-system ]

not_in (not includes) checks that the specified attribute does not equal any of the specified values:

kind: workload_identity version: v1 metadata: name: rules-example spec: spiffe: id: /my-awesome-workload rules: allow: - conditions: - attribute: workload.kubernetes.namespace not_in: values: [ foo , bar ]

When using the conditions form and comparing attributes which are not strings (e.g. a boolean or number), the attribute values will be converted to a string representation.

When using the Predicate Language, the attribute values will be compared as-is.

In addition to the YAML representation which can be managed with tctl , the WorkloadIdentity resource can also be managed using Infrastructure as Code tools.

