Create Federated Identity On a Service Account

Step 1: Navigate to Service Accounts

Navigate to IAM → Service Accounts in your Thalassa Cloud Console.

Step 2: Select Service Account

Select the service account you want to configure federation for.

Step 3: Create Federated Identity

Click “Add Federated Identity” or “Workload Identity Federation”.

Step 4: Configure Federated Identity

Fill in the federated identity configuration:

Identity Provider:

• Identity Provider: Select the identity provider you created in Step 1
• This links the federated identity to your configured OIDC issuer

Token Matching:

Configure how tokens are matched to this federated identity:

• Subject Claim: Specify the expected sub (subject) claim value

  • Example for GitHub Actions: repo:myorg/myrepo:ref:refs/heads/main
  • Supports wildcards for pattern matching
  • This is the primary claim used to match tokens

• Additional Claims (Optional): Configure additional claims to match

  • Common claims: repository, repository_owner, ref, environment
  • Use claim matching to restrict access to specific repositories, branches, or environments
  • Example: Match tokens only from the main branch by setting ref: refs/heads/main

API Scopes:

Set the Thalassa Cloud API scopes to include in the returned bearer token:

• API Scopes: Select one or more API scopes
  • Common scopes: read, write, admin
  • Scope selection determines what actions the bearer token can perform
  • Follow the principle of least privilege: only grant the minimum scopes required

Expiry (Optional):

Configure when the federated identity should be revoked:

• Expiry Date: Set an optional expiration date
  • Useful for temporary access or project-based workloads
  • After expiry, token exchange will fail for this federated identity
  • Plan ahead for long-running workloads and set reminders to rotate

Step 5: Review and Save

1. Review your configuration
2. Click “Create Federated Identity” or “Save”
3. The federated identity is now active and ready to use