• Workload identity federation is generally available Today, we’re excited to announce that workload identity federation is generally available. • Since launchingin beta last fall, we’ve expanded support across the Tailscale platform, including API and Terraform support for managing federated identities, automatic cloud token exchange, tsnet integration, and beta support for the Kubernetes operator. • Together, these updates make it easier to authenticate infrastructure workloads-including CI systems, cloud services, and Kubernetes clusters-without relying on long-lived, hard-coded secrets. • If you’re new toworkload identity federation, it allows CI/CD pipelines and cloud workloads to authenticate to Tailscale using their cloud provider’s federated OpenID Connect (OIDC) identities instead of static API keys, auth keys, or OAuth clients. • Rather than relying on long-lived secrets that are difficult to manage and scale, workloads can authenticate using signed, short-lived tokens issued by the cloud provider’s identity system. • Secure automation at scale The Tailscale API now supports creating, reading, updating, and deleting federated identities.

Article Summaries:

  • Tailscale has announced that workload identity federation is now generally available. The feature, first released in beta last fall, now works across the entire platform, adding API and Terraform support for managing federated identities, automatic cloud‑token discovery via a new --audience flag, tsnet integration for Go applications, and beta support for a Kubernetes operator. Workloads such as CI runners, cloud services, and Kubernetes clusters can authenticate to a tailnet using short‑lived OIDC tokens from their cloud provider instead of long‑term secrets. The API and Terraform provider let teams create, update, and audit trust relationships programmatically, simplifying secure automation at scale.

Sources: