HashiCorp Vault 1.15 adopts Microsoft Workload Identity Federation
HashiCorp Vault 1.15 improves security by adopting Microsoft Workload Identity Federation for applications and services in Azure, Google Cloud, and GitHub.
Microsoft’s primary method for managing identities by workload has been Pod identity. However, the company’s Pod identity technology and workflows are being deprecated and will not be supported after December 2023. Microsoft will continue to support identity workflows with its Workload Identity Federation (WIF) product, which was released as part of Vault 1.15 to deepen Vault’s integration with MS Azure.
In this post, we’ll take a deeper look at the advantages and caveats of WIF.
» What is Workload Identity Federation (WIF)
In Azure, workload identities are assigned to software workloads such as an application, service, script, or container, to authenticate and access other services and resources. WIF makes it easier for developers to access Azure resources from applications and services operating in Kubernetes or other cloud providers by removing the need for secrets in some scenarios. Developers can configure Azure AD applications and services to trust tokens issued by other identity providers, such as HashiCorp Vault. The tokens can then be leveraged to access resources in those applications.
» Identity federation versus secrets
Developers creating applications that require secrets face several questions:
Where to store secrets?
- Many secrets continue to be stored in an insecure manner, checked into repos or shared within collaboration tools. To securely manage secrets, developers need to leverage a vault.
How to mitigate password leakage?
- It’s not enough to store your secrets securely. Secrets should be set to expire so they get rotated regularly.
How to reduce or eliminate service downtime associated with secrets rotation?
- Developers need to leverage a management tool that facilitates secrets rotation while reducing the risk of downtime.
WIF resolves these concerns and removes the need for developers to deal with the burden of secrets management; storing secrets securely and rotating them regularly. The secrets are managed by the Azure platform, simplifying the developer experience. However, workload identities have a few limitations:
- Only 20 federated credentials can be added to an identity. If more than 20 are required, you must use more identities.
- Federated tokens must be signed with RS256.
- Managed workload identities in certain regions will not support federated credentials, see the Microsoft documents page for the updated list.
» Learn more about WIF
Microsoft’s Workload Identity Federation will continue to provide developers with a powerful tool to secure their applications and services. To learn more about workload identities, please visit our developer documentation.
Sign up for the latest HashiCorp news
More blog posts like this one

Terraform provider for Google Cloud 7.0 is now GA
Version 7.0 of the HashiCorp Terraform Google Cloud provider adds new ephemeral resources, write-only attributes, and validation logic.

How to enable developer self-service at scale with Terraform and Waypoint
Learn how to simplify Terraform self-service with HCP Waypoint’s features for building golden deployment workflows.

Terraform now supports assigning agent pools at the project level
HCP Terraform and Terraform Enterprise users can now assign default agent pools at the project level, offering a more scalable and secure approach to agent pool configuration.