Unit 5: Cloud IAM integration — AWS IAM Roles, GCP Workload Identity, Azure Managed Identity

[TeoSlayer]

Scope

Cloud provider IAM as identity source. EC2 instances, ECS tasks, Lambda functions, GKE pods, and Azure VMs authenticate via their cloud IAM role/identity.

Deliverables

• AWS: IAM Role → OIDC token via STS (AssumeRoleWithWebIdentity), instance profile token from metadata
• GCP: Workload Identity tokens from metadata service, service account impersonation
• Azure: Managed Identity tokens from IMDS, system-assigned and user-assigned
• All three are OIDC issuers: validate via standard OIDC join rule with provider-specific presets
• IAM role/identity → Pilot network mapping (e.g., role "data-pipeline-prod" → production network)
• Zero-credential deployment: agents running on cloud VMs need no secrets, credentials come from cloud metadata

Priority: MEDIUM

[TeoSlayer]

Context: This is the zero-credential dream. An EC2 instance running a Pilot agent authenticates using its IAM role — no API keys, no secrets, no certificates to manage. The cloud provider is the OIDC issuer, Pilot validates the token. When the instance is terminated, the token expires and access is automatically revoked. Works across all three major clouds using the same OIDC infrastructure from Phase 5.