Skip to content
This repository was archived by the owner on Apr 16, 2026. It is now read-only.
This repository was archived by the owner on Apr 16, 2026. It is now read-only.

Non-Kubernetes agent identity support (OIDC workload identity) #54

Description

@haasonsaas

Context

ASB authenticates agent workloads via Kubernetes projected service account JWTs. This is effective in K8s but not portable to non-K8s runtimes (local dev, cloud VMs, serverless, CI/CD runners).

Why it matters

  • Maestro runs locally on developer machines, not in K8s
  • CI/CD agents run in GitHub Actions, not K8s
  • Competitors (Vault A2A, Aembit) support OIDC for broader workload identity
  • Enterprise adoption requires agent secret brokering wherever agents run

Suggested approach

  • OIDC workload identity federation (GitHub Actions OIDC, GCP workload identity, Azure MI)
  • CLI-based session bootstrapping for local development (via identity service tokens)
  • Attestation claims normalized across K8s SA JWT and OIDC tokens
  • Maintain K8s as the primary path; OIDC as extension, not replacement

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions