Workload Identity is a secure authentication method for CI/CD pipelines and external services using OpenID Connect (OIDC) tokens, eliminating the need for long-lived credentials. Unlike Service Accounts that require storing API keys as secrets, Workload Identity:Documentation Index
Fetch the complete documentation index at: https://docs.bytebase.com/llms.txt
Use this file to discover all available pages before exploring further.
- Uses short-lived tokens generated per job
- Validates tokens against your CI/CD platform’s identity provider
- Restricts access to specific repositories, branches, and workflows
Workspace vs Project Level
Workload identities can be created at two levels:- Workspace level — Has access governed by workspace IAM policies. Suitable for cross-project CI/CD workflows.
- Project level — Scoped to a single project, following the principle of least privilege. Suitable for project-specific pipelines.
Supported Platforms
GitHub Actions
Configure OIDC authentication for GitHub Actions workflows
GitLab CI/CD
Configure OIDC authentication for GitLab CI/CD pipelines