Secretless, federated workload identities

Federated cloud access for every Kubernetes cluster — with zero stored secrets.

Cloud Identity Mesh is a control plane for short-lived cloud credentials across AKS, EKS, GKE, Gardener, bare metal, and CI/CD. Policies map Kubernetes identities and pipelines to cloud principals so you never ship static keys.

Book a demoSee how it worksShort-lived tokens • Policy-as-code • Full audit
Multi-cloud ready

Azure Workload Identity, AWS IRSA, GCP Workload Identity Federation, Gardener, and on-prem OIDC.

Audit-first design

Every issuance logged with subject, cloud principal, policy decision, and TTL.

Policy decision snapshotSecretless
Subjectns/payments:svc/apiCloud principalarn:aws:iam::123:role/payments-apiTTL45 minutesDecisionallow (policy: finance-prod)
CI/CD federation

GitHub Actions, GitLab, and Azure DevOps exchange OIDC tokens for cloud credentials — no secrets in repo, no shared keys.

Built for modern Kubernetes platforms
AKSAKS
EKSEKS
GKEGKE
GardenerGardener
Bare MetalBare Metal

How Cloud Identity Mesh works

Cloud Identity Mesh is a control plane that brokers OIDC trust, enforces policy, and issues short-lived credentials from your cloud providers. The same flow powers clusters and pipelines.

  1. 1
    Define identity policies once

    Map namespaces, service accounts, and CI subjects to cloud roles through a single policy layer.

  2. 2
    Request short-lived credentials

    Workloads and pipelines call the mesh, which evaluates policy and assembles a claim for the cloud provider.

  3. 3
    Cloud provider issues tokens

    Cloud Identity Mesh federates to Azure, AWS, and GCP to obtain first-party tokens. You never touch raw keys.

  4. 4
    Audit and trace every issuance

    Decisions and lifetimes are logged for SIEM export, satisfying compliance teams.

Why teams adopt it
  • • Eliminate static secrets from clusters and pipelines.
  • • Normalize identity across AKS, EKS, GKE, Gardener, and on-prem.
  • • Give security teams a central policy + audit surface.
Implementation

Cloud Identity Mesh integrates with your CI/CD tooling and platform stack. Nopsa Ventures offers implementation and advisory services to roll this out safely at scale.

Federated Cloud Credentials across AWS, GCP, Azure, Gardener, On-prem

One control plane, different provider mechanics.

Toggle to see what changes.

Provider detailSTS, not static keys

Mesh establishes OIDC trust per cluster, maps service accounts to IAM roles, and mints short-lived STS credentials.

  • IRSA trust bound to cluster OIDC issuer
  • Policies map k8s namespace + SA → IAM role ARN
  • No access keys stored in pods or pipelines
Policy to cloud binding
Subjectns/app:svc/webPolicymesh.allow(app, env=prod)Cloud principalarn:aws:iam::123:role/appTTL30–60 minutes

Outcome: short-lived, auditable tokens issued by your cloud provider, enforced by Cloud Identity Mesh policy.

What you get in the first 30 days

A concrete path to secretless workloads and CI, paced over the first month.

Fast path to value
Days 1–7

Hook cluster OIDC issuers, baseline policies, and CI trust with least-privileged roles.

Days 8–16

Roll first workloads secretless; add audit export to your SIEM; test break-glass flow.

Days 17–30

Enable pipelines with ephemeral creds; expand to priority namespaces; bake in learnings and guardrails.

Policy + enforcement

Policy-as-code that maps Kubernetes and CI identities to cloud roles

Express constraints on namespace, service account, workload labels, CI issuer, repository, branch, and time-of-day. Attach default TTLs and scopes per environment.

Conditions
  • • env == prod
  • • repo == org/service
  • • subject in ns/payments
Outputs
  • • cloud principal: role/payments-api
  • • scopes: s3:GetObject, kms:Decrypt
  • • ttl: 45 minutes
Audit trail

Every issuance logged with subject, principal, decision, and TTL

WorkloadPrincipalTTLDecision
payments/api-gateway
arn:aws:iam::123:role/payments-api
45m
allow (policy: finance-prod)
ml/feature-store
projects/ml-svc@iam.gserviceaccount.com
30m
allow (attribute: env=prod)
cicd/github-actions
Azure MI: nva-cicd-mi
25m
allow (subject: repo=org/app)

Export to your SIEM or data platform; align with SOC2, ISO27001, NIST 800-63, and cloud provider audit requirements.

Built for platform, security, and DevOps teams

Platform Engineering

Bake identity into cluster onboarding and GitOps. Standardize how teams request cloud access.

  • Golden paths for namespaces and SAs
  • GitOps-friendly configs
  • Zero manual key rotation
Security / Compliance

Policy-as-code for who can assume what, with audit trails that map cloud principals back to workloads.

  • Full issuance logs
  • Scoped, time-bound credentials
  • Alignment with SOC2 / ISO expectations
DevOps / SRE

Ship without secrets in CI. Safer rollouts with cloud-native tokens that expire automatically.

  • GitHub/GitLab/Azure DevOps federation
  • Per-deploy credentials
  • Reduced blast radius

Use cases

Secretless workloads

Replace environment secrets with short-lived tokens issued at runtime for cloud APIs and vaults.

Federated CI/CD

GitHub, GitLab, and Azure DevOps obtain ephemeral credentials per pipeline run—no stored cloud keys.

Multi-cloud governance

One policy layer for AKS, EKS, GKE, Gardener, and on-prem. Consistent mapping to cloud principals.

Trusted patterns from regulated environments

Identity specialists
Fintech · SOC2

Replaced service account keys on GKE; audit feed piped to SIEM; rollout in 10 days.

Healthcare · HIPAA

AKS workloads moved to managed identities; token lifetimes capped at 45m; zero stored keys.

Enterprise SaaS

GitHub Actions federated to AWS/GCP for multi-cloud deploys; per-branch policies enforced.

Industrial

Bare-metal + Gardener clusters share one policy layer; audit mapped workloads to cloud roles.

Built by Nopsa Ventures

Nopsa Ventures is a consulting and engineering partner focused on secrets management, federated credentials, managed cloud identities, and platform security. Cloud Identity Mesh captures battle-tested patterns we apply in client engagements and makes them available as a reusable framework.

Nopsa Ventures logo
Nopsa Ventures
Cloud identity specialists behind Cloud Identity Mesh

Planning a new Kubernetes platform or modernizing access for an existing estate? We can help you roll out Cloud Identity Mesh safely and with guardrails.

Learn more about Nopsa Ventures
Schedule a demo

Want to see Cloud Identity Mesh in action and discuss how it could fit into your platform? Schedule a live session with the Nopsa Ventures team.