ProficientNowTechRFCs
Platform RFCs/RFC-WORKLOAD-IDENTITY-0001: Workload Identity Architecture

Appendix A: Glossary

RFC-WORKLOAD-IDENTITY-0001                                      Appendix A
Category: Standards Track                                        Glossary

Appendix A: Glossary

← Previous: Evolution | Index | Next: Appendix B →

A.1 Term Definitions

Identity Terms

ARIA (Agent Relationship-based Identity and Authorization) An emerging pattern for AI agent identity that tracks delegation relationships between principals.

Attestation The process of proving workload properties (Kubernetes metadata, cloud instance metadata, binary signatures) to establish identity without pre-shared secrets.

Authorization Ceiling The principle that downstream systems cannot grant permissions exceeding those available from upstream systems. Azure AD group memberships define the ceiling; Vault and SPIRE can only grant subsets.

Delegation The act of one principal authorizing another to act on its behalf. Creates a delegation chain.

Delegation Chain The complete sequence of delegation relationships from the original principal to the current actor.

Delegation Token A token issued via OAuth 2.0 Token Exchange that contains claims about both the subject (original principal) and actor (delegated entity).

SPIFFE (Secure Production Identity Framework For Everyone) A set of open-source standards for workload identity in dynamic environments.

SPIFFE ID A URI-formatted identifier for a workload: spiffe://trust-domain/path.

SVID (SPIFFE Verifiable Identity Document) A cryptographically signed document (X.509 certificate or JWT) that proves a workload's SPIFFE identity.

Trust Domain An administrative boundary within SPIFFE. A trust domain has a single root of trust.

Workload Any non-human principal: container, service, pipeline, operator, scheduled job, AI agent.

Authentication Terms

AppRole A Vault authentication method using role ID and secret ID for machine authentication.

JWT Auth Vault authentication using JSON Web Tokens, often from OIDC providers.

Kubernetes Auth Vault authentication using Kubernetes ServiceAccount tokens.

mTLS (Mutual TLS) TLS where both client and server present certificates for mutual authentication.

OIDC (OpenID Connect) Authentication layer on OAuth 2.0 providing identity verification.

PSAT (Projected ServiceAccount Token) Kubernetes ServiceAccount token projected into a pod with specific audience and expiration.

Token Exchange (RFC 8693) OAuth 2.0 mechanism for exchanging one token for another with different characteristics.

Infrastructure Terms

eBPF (extended Berkeley Packet Filter) Linux kernel technology used for observability and network control.

ESO (External Secrets Operator) Kubernetes operator that synchronizes secrets from external stores to Kubernetes.

Linkerd A lightweight service mesh providing mTLS and traffic management.

SPIRE (SPIFFE Runtime Environment) Reference implementation of the SPIFFE specification.

SPIRE Agent Component running on each node that attests workloads and delivers SVIDs.

SPIRE Server Central component that issues SVIDs and manages trust bundles.

tbot Teleport Machine ID agent that manages machine certificates.

Trust Bundle Collection of public keys/certificates used to verify identities from a trust domain.

Kubernetes Terms

ClusterRole Kubernetes RBAC role that applies cluster-wide.

DaemonSet Kubernetes workload that runs one pod per node.

NetworkPolicy Kubernetes resource controlling pod network traffic.

Role Kubernetes RBAC role that applies within a namespace.

RoleBinding Kubernetes resource binding a Role to subjects.

ServiceAccount Kubernetes identity for pods.

Cloud Terms

IRSA (IAM Roles for Service Accounts) AWS mechanism to associate IAM roles with Kubernetes ServiceAccounts.

STS (Security Token Service) AWS service for issuing temporary security credentials.

Workload Identity GCP/Azure mechanism for pod identity federation.

Workload Identity Federation Cross-cloud identity federation mechanism.

A.2 Diagram Index

All diagrams included in this RFC:

Diagram NameTypeSection
Identity Hierarchyflowchart§0 Index
Enterprise Identity Modelflowchart§3.1.1
Identity Layersflowchart§3.1.3
Trust Boundary Diagramflowchart§3.2.2
Authority Relationshipsflowchart§3.3.2
Workload Bootstrap FlowsequenceDiagram§3.4.1
Service-to-Service FlowsequenceDiagram§3.4.2
CI/CD Identity FlowsequenceDiagram§3.4.3
AI Agent Delegation FlowsequenceDiagram§3.4.4
Integration Diagramflowchart§3.5.4
Component Relationshipsflowchart§4.1.2
SPIRE Deploymentflowchart§4.2.6
Vault Agent Integrationflowchart§4.3.5
Machine Certificate LifecyclesequenceDiagram§4.4.3
Linkerd Authorization Flowflowchart§4.5.4
ESO Secret Flowflowchart§4.6.2
Cloud Integrationflowchart§4.7.4
SPIRE Workload FlowsequenceDiagram§5.2.4
Vault Auth FlowsequenceDiagram§5.3.1
Identity LifecyclestateDiagram§5.5.1
Application Patternflowchart§5.6.1
OIDC Token FlowsequenceDiagram§6.1.3
ArgoCD Identity Flowflowchart§7.2.5
Token Hierarchyflowchart§7.5.2
Controller Deploymentflowchart§8.2.3
CronJob Identity FlowsequenceDiagram§8.3.4
Delegation FlowsequenceDiagram§9.2.3
Chain Delegationflowchart§9.4.1
Revocation Cascadeflowchart§9.8.3
tbot Architectureflowchart§10.2.3
AWS AttestationsequenceDiagram§10.4.2
Machine Secret AccesssequenceDiagram§10.6.2
mTLS FlowsequenceDiagram§11.2.4
Authorization Flowflowchart§11.3.4
SPIRE-Linkerd Integrationflowchart§11.5.2
Federation Relationshipflowchart§12.2.3
Federation WorkflowsequenceDiagram§12.2.5
GCP to AWS Federationflowchart§12.3.2
Trust Domain Hierarchyflowchart§12.4.1
Trust Bundle LifecyclestateDiagram§12.4.3

A.3 Abbreviations

AbbreviationExpansion
AADAzure Active Directory
APIApplication Programming Interface
ARIAAgent Relationship-based Identity and Authorization
CACertificate Authority
CI/CDContinuous Integration/Continuous Delivery
CLICommand Line Interface
CNCFCloud Native Computing Foundation
CRDCustom Resource Definition
DaemonSetKubernetes DaemonSet
DNSDomain Name System
eBPFextended Berkeley Packet Filter
ESOExternal Secrets Operator
GCPGoogle Cloud Platform
HAHigh Availability
HSMHardware Security Module
HTTPHypertext Transfer Protocol
HTTPSHTTP Secure
IAMIdentity and Access Management
IdPIdentity Provider
IRSAIAM Roles for Service Accounts
JWTJSON Web Token
K8sKubernetes
KMSKey Management Service
mTLSMutual Transport Layer Security
OIDCOpenID Connect
OPAOpen Policy Agent
PAMPrivileged Access Management
PKIPublic Key Infrastructure
PSATProjected ServiceAccount Token
RBACRole-Based Access Control
RFCRequest for Comments
SAService Account
SAMLSecurity Assertion Markup Language
SPIFFESecure Production Identity Framework For Everyone
SPIRESPIFFE Runtime Environment
SSHSecure Shell
STSSecurity Token Service
SVIDSPIFFE Verifiable Identity Document
TLSTransport Layer Security
TPMTrusted Platform Module
TTLTime To Live
UIUser Interface
URIUniform Resource Identifier
VMVirtual Machine
WIWorkload Identity
WIFWorkload Identity Federation
YAMLYAML Ain't Markup Language

A.4 ADR Index

Architecture Decision Records documented in this RFC:

ADR IDDecision SummarySection
ADR-WI-001SPIFFE/SPIRE as primary identity framework§13.6
ADR-WI-002Linkerd for service mesh identity§13.6
ADR-WI-003OAuth 2.0 Token Exchange for AI agents§13.6
ADR-WI-004Vault Kubernetes auth as primary§13.6
ADR-WI-005Teleport Machine ID for VMs§13.6

A.5 Invariant Index

IDCategorySummary
INV-1Identity AuthorityEvery workload has cryptographic identity
INV-2Identity AuthorityNo long-lived credentials
INV-3Identity AuthorityIdentity based on attestation
INV-4AuthenticationKubernetes auth for Vault
INV-5AuthenticationOIDC federation for CI/CD
INV-6AuthenticationmTLS for service communication
INV-7AuthorizationNamespace-scoped permissions
INV-8AuthorizationDelegation chain preservation
INV-9AuthorizationAuthorization ceiling
INV-10AuditIdentity audit trail
INV-11AuditDelegation audit
INV-12AuditCross-system correlation

Document Navigation

PreviousIndexNext
← 14. EvolutionTable of ContentsAppendix B: References →

End of Appendix A

Next

14. Evolution

Next

Appendix B: References

On this page