The idea is:
Each workflow execution has an environment variable containing a signed token (similar to how Gitlab and Github jobs work) where you could cryptographically identify a workflow via a token. This would allow the ability to do authentication to external systems based on a managed identity vs requiring wiring up user or service account identities. Since the metadata already exists and is exposed, it would be relatively simple to include this variable in each workflow execution.
My use case:
Similar to Gitlab and Github job tokens, I would utilize the identity token of a workflow for authentication and authorization to systems and APIs. It would remove the need to manage manual identities from an external system per workflow.
In my organization, we try to move as much as possible to non-human identities and to utilize those identities for authentication and authorization. With this, we can provision managed workflows for our users, assign permission for them to own that workflow, and ensure that the workflow identity can be used to provide permission to our various platforms and systems (usually through an identity proxy, which would convert the workflow token to a universally used auth mechanism used, in our case, certificates).
I think it would be beneficial to add this because:
It would adhere to a common identity pattern that similar pipeline/workflow systems follow.
Any resources to support this?
Github Workflow Tokens: Use GITHUB_TOKEN for authentication in workflows - GitHub Docs
Gitlab Job Tokens: GitLab CI/CD job token | GitLab Docs
Are you willing to work on this?
I’d be willing to converse on the topic, but backend javascript isn’t my domain. Should be a simple enough feature though. Signed JWT with already available metadata, public key for distribution and verification, private key for signing, endpoint for checking workflow status (running vs ended, as to reject tokens from completed workflows), maybe a configuration for rotation of said public/private keys after n number of days.