November 20, 2025 - OIDC Workload Identity Federation
Eliminate credential management with federated authentication for CKS and AI Object Storage
Release SecurityOverview
OIDC Workload Identity Federation brings credential-free authentication to CoreWeave using the OpenID Connect (OIDC) protocol. Whether you're authenticating CKS workloads to external cloud services or granting external applications access to AI Object Storage, OIDC eliminates the operational burden of managing, distributing, and rotating long-lived credentials while providing enhanced security through short-lived tokens and centralized access control.
Features
CKS clusters as OIDC Identity Providers
Every CKS cluster now acts as an OIDC Identity Provider (IdP), enabling workloads to authenticate directly to external services without storing credentials. Your Kubernetes workloads receive automatically-rotated tokens that external cloud providers and SaaS platforms recognize, eliminating credential distribution and rotation overhead.
- Multi-cloud authentication: Authenticate CKS workloads to AWS, GCP, and other OIDC-compatible services
- Service Account-based identity: Workloads acquire identity through Kubernetes Service Account tokens signed by the cluster
- Public OIDC discovery: Each cluster publishes an OIDC Document Discovery URL for external services to discover identity metadata and cryptographic keys
- No secret management: Workloads authenticate with cluster-issued tokens—no external credentials required
- Works with all cluster types: Available for both public and private CKS clusters
Common use cases include accessing cloud storage buckets, authenticating to managed databases, integrating with SaaS APIs, and orchestrating multi-cloud AI workflows.
Workload Identity Federation for AI Object Storage
AI Object Storage now supports OIDC-based Workload Identity Federation, allowing external applications to access CoreWeave storage using tokens from their identity provider instead of static API keys. Applications obtain tokens from their IdP and exchange them for temporary CoreWeave access credentials that automatically refresh.
- OIDC and SAML support: Choose between OIDC (JSON Web Tokens) for cloud-native applications or SAML (XML assertions) for enterprise environments
- Automatic credential refresh: Temporary credentials refresh as tokens expire without application changes
- IdP integration: Works with existing identity providers including AWS IAM, GCP Workload Identity, Azure Managed Identities, and custom OIDC providers
- Centralized access control: Manage permissions through your existing IdP rather than distributing static credentials
OIDC's JSON-based approach makes it particularly well-suited for API-first workflows and automated systems, while SAML's mature ecosystem serves organizations with established enterprise identity management requirements.
Security and operational benefits
OIDC Workload Identity Federation delivers security and operational advantages across both CKS and AI Object Storage:
- Eliminate stored credentials: No long-lived API keys or service account credentials in configuration files, environment variables, or source code
- Automatic token rotation: Short-lived tokens are issued and rotated automatically by the identity provider
- Fine-grained access control: Leverage native IAM systems (AWS IAM roles, GCP Workload Identity, CoreWeave bucket policies) for precise permission management
- Complete audit visibility: Track all authentication and access through your existing IdP audit logs
- Reduced attack surface: Compromised workloads cannot leak long-lived credentials because none exist
Learn more: