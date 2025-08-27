Version: 19.x (unreleased)

Machine & Workload Identity Use Cases

Machine & Workload Identity can work together to create a comprehensive security model. Machines can securely access resources while workloads communicate securely with each other and external services, all managed through Teleport's infrastructure identity platform.

A CI/CD system securely deploys services to Kubernetes and establishes secure communication channels between them. The pipeline authenticates through the Teleport Proxy Service to deploy to Kubernetes and receives credentials to interact with cloud APIs (e.g., to push container images)

These examples illustrate how Machine & Workload Identity enable secure, scalable API access for cloud-native applications running in Kubernetes:

Monitoring and observability exporters : Custom exporters or telemetry agents in the cluster send metrics and traces to platforms like Datadog, New Relic, or Grafana Cloud. Machine & Workload Identity replaces static API keys with short-lived credentials tied to the exporter's identity, improving security and auditability.

: Custom exporters or telemetry agents in the cluster send metrics and traces to platforms like Datadog, New Relic, or Grafana Cloud. Machine & Workload Identity replaces static API keys with short-lived credentials tied to the exporter's identity, improving security and auditability. Data processing pipelines : A Kubernetes-based ETL application pulls data from external sources like AWS S3, processes it, and pushes results to third-party analytics or storage platforms. Each workload uses a SPIFFE identity to authenticate securely via JWT or mTLS, eliminating static credentials.

: A Kubernetes-based ETL application pulls data from external sources like AWS S3, processes it, and pushes results to third-party analytics or storage platforms. Each workload uses a SPIFFE identity to authenticate securely via JWT or mTLS, eliminating static credentials. Customer support automation: A Kubernetes-based support app consumes internal service data and interacts with systems like Zendesk or Salesforce. Machine ID uses short-lived certificates to ensure API calls originate only from authorized workloads, enabling fine-grained access control and complete auditability.

A Zero Trust strategy is applied across workloads and automation:

Automation scripts authenticate through the Teleport Proxy Service to perform infrastructure tasks

Workloads authenticate using short-lived, cryptographically verifiable identities

Security teams use Teleport's unified audit logs to trace all identity activity

Zero-trust, identity-based communication without shared secrets are rotated automatically without human involvement.

Instead of managing static credentials (e.g., API keys, database passwords), workloads authenticate using short-lived X.509 certificates or JWTs compatible with the SPIFFE/SPIRE standard.