You can create, modify, and delete workload identities in the Agent Identity console.
Permissions
We recommend that you grant the Agent Identity administrator permission AliyunAgentIdentityFullAccess to operators.
Create a workload identity
-
Log on to the Agent Identity console. In the navigation pane on the left, choose .
-
On the Workload Identity page, click Create Workload Identity.
-
On the Create Workload Identity page, enter a workload identity name.
-
Click Create Workload Identity.
Associate a RAM role
A workload identity must be associated with a RAM role that has permissions to obtain credentials from the Agent Identity data plane. This allows your agent to obtain credentials such as an STS token, an API key, or an OAuth2 access token.
To simplify this process, use the Create RAM Role wizard in the Agent Identity console to automatically create and authorize the RAM role. The operator must have the following RAM permissions:
-
ram:ListRoles -
ram:ListPolicies -
ram:CreateRole -
ram:AttachPolicyToRole
Sample policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:ListRoles",
"ram:ListPolicies",
"ram:CreateRole",
"ram:AttachPolicyToRole"
],
"Resource": "*"
}
]
}
-
Log on to the Agent Identity console. In the navigation pane on the left, choose .
-
On the Workload Identity page, click the name of the target workload identity.
-
On the workload identity details page, in the Authentication Flow section, click Associate RAM Role.
-
In the Associate RAM Role dialog box, click Create RAM Role.
-
On the Quick Authorization for Access Control page, review the RAM role to be created. You can change the role name and permission policy as needed.
By default, the role is named
workloadidentity-test-workload-identityand is granted the AliyunAgentIdentityDataGetCredentialAccess permission policy, which allows the role to obtain credentials from the Agent Identity data plane. After you confirm the settings, click Confirm Authorization.
-
Click Confirm Authorization. Wait a moment while the system automatically creates the RAM role and configures its trust policy and permission policy.
-
Click Return to Console to go back to the workload identity details page.
-
Click Associate RAM Role again.
-
In the Associate RAM Role dialog box, select the automatically created RAM role.
-
Click OK.
Set an application callback URL
To obtain an OAuth access token from a credential provider for your agent, configure an application callback URL for the workload identity. This URL verifies the current user session during OAuth access token acquisition. For more information, see session binding.
-
Log on to the Agent Identity console. In the workload identity list, click the target workload identity.
-
On the workload identity details page, in the Authentication Flow section, click Set Application Callback URL.
-
In the Set Application Callback URL dialog box, click Add. Enter your application callback URL, for example,
https://your-app-fqdn/callback. -
Click OK.
Associate an identity provider
To trust JWT tokens from an external identity provider, associate the identity provider with the workload identity.
-
Log on to the Agent Identity console. In the navigation pane on the left, choose .
-
On the Workload Identity page, click the target workload identity.
-
On the workload identity details page, in the Authentication Flow section, under Identity Provider, click Associate Identity Provider.
-
In the Associate Identity Provider dialog box, select your configured identity provider from the drop-down list. If you do not have an identity provider, see Create an identity provider.
-
Click OK.
Delete a workload identity
-
Log on to the Agent Identity console. In the navigation pane on the left, choose .
-
On the Workload Identity page, find the workload identity that you want to delete, and in the Actions column, click Delete Workload Identity.
-
In the Delete Workload Identity dialog box, enter the workload identity name to confirm, and then click Delete Workload Identity.