Skip to main content

OIDC Federation

Connecting a cloud account via OIDC avoids long-lived static credentials. The DriftWise scan worker presents a short-lived JSON Web Token (JWT) to your cloud, which validates it against the trust configuration you set up.

Each cloud uses this slightly differently:

  • AWS validates iss, sub, and aud claims against the OIDC provider / trust policy you register.
  • Azure validates iss, sub, and aud claims against the federated credential you register.
  • GCP uses service-account impersonation instead — you grant DriftWise's backend service account permission to impersonate a service account in your project.

Follow the per-cloud setup guide:

Production trust configuration values

DriftWise issues its own identity tokens from a stable OIDC endpoint. Use the following values when configuring trust in app.driftwise.ai (production):

ValueProduction valueUsed by
Issuer URLhttps://federation.driftwise.aiAWS (--url), Azure (issuer)
Subjectdriftwise-backendAWS (sub condition, recommended), Azure (subject)
Audiencehttps://app.driftwise.ai/federationAWS (aud condition), Azure (audiences)
Service Account email[email protected]GCP (iam.serviceAccountTokenCreator member)
Self-hosted or non-production deployments

The values above are for the hosted app.driftwise.ai service. If you run DriftWise in a different environment (dev, staging, or self-hosted), fetch the values directly from that deployment — see How to retrieve them below.

How to retrieve them

From the UI

  1. Open Cloud Scan+ Add Account and pick your cloud.
  2. Select an OIDC credential type (OIDC Federation for AWS/Azure, Workload Identity for GCP).
  3. Expand View trust configuration details. Copy the values shown into your cloud's CLI commands.

From the API

For platform admins only:

curl -H "x-api-key: $DRIFTWISE_API_KEY" \
  https://app.driftwise.ai/api/v2/federation-info

Returns:

{
  "issuer_url": "https://federation.driftwise.ai",
  "subject": "driftwise-backend",
  "audience": "https://app.driftwise.ai/federation",
  "service_account_email": "[email protected]"
}

The endpoint returns 503 Service Unavailable when the deployment was booted without federation env vars set, and 403 Forbidden to non-admin callers.