Support Workload Identity Federation for Building Block Runs
in progress
J
Johannes Rudolph
in progress
We have started working on this feature and will be iterating towards a full availability in the coming months.
Our current roadmap (subject to change) involves the following intermediate milestones
### V1: Runner-based Identity
This milestone will enable scheduling building blocks to a specific runner that has its own workload identity.
- Introduce concept of dedicated runners owned by a specific workspace (via platform builder). Existing runners will become shared runners and you can request dedicated runners via support.
- All building block definitions will be associated with a specific runner
- The OpenTofu runner will support using a runner-level workload identity to authenticate against AWS/Azure/GCP via the official terraform providers
We plan to also offer this approach for private runners hosted on your own infrastructure that have a workload identity provided by their underlying hosting environment (e.g. EC2, Cloud Run etc.)
We expect to ship V1 by end of October.
### V2: Run-based identity
This milestone will enable fine-grained authorization claims for each building block run based on definition owner, workspace etc. This enable securely using shared runners with multiple platform teams and also unlocks advanced authorization scenarios like making decisions based on the workspace owning the building block and the workspace owning the building block definition.
At this moment we exect to tackle V2 until end of 2025
We are looking for feedback on this plan and are specifically looking for platform teams that would like to work with our team to participate in private preview of this feature and provide feedback directly to our team.
Jelle den Burger
We see huge potential in this feature but do not see this happening this year. There is quite some work needed to add support to this for meshStack. We hope we can deliver on it by Q2 next year.