Use `tcloud iam workload-identity-federation bootstrap` to wire OIDC workloads to Thalassa IAM without long-lived API keys in repos or clusters.
We want to eliminate static secrets wherever it is practical. Long-lived tokens in Git variables, copied into Terraform backends, or baked into cluster manifests rot slowly, leak easily, and rarely map cleanly to who actually called the API. Workload identity federation is a better default: a platform OIDC identity proves this pipeline or this service account ran the job, and Thalassa issues short-lived access in exchange.
The tcloud iam workload-identity-federation bootstrap command is one piece of that puzzle. It provisions the IAM wiring so you can move from “paste a PAT into CI” toward federated JWTs and token exchange patterns (including controllers such as the IaaS controller that authenticate via in-cluster tokens).
In one flow, the CLI creates (when missing) a federated OIDC identity provider, a Thalassa service account, a role binding to your organisation role, and a federated identity that matches the workload JWT subject. The bootstrap command supports flows for GitHub, Gitlab and Kubernetes.
Creates or reuses a federated provider for your GitLab OIDC issuer, then binds the project path and ref to a Thalassa service account. Example for GitLab.com on branch main with an IaaS read role and explicit scopes:
Thalassa Cloudtcloud iam workload-identity-federation bootstrap gitlab \
--issuer https://gitlab.com \
--repository group/example \
--ref main \
--role iaas:ReadAccess \
--scope api:read,api:write
Typical CLI output (IDs are from one run. use the sa-… value from your own output as THALASSA_SERVICE_ACCOUNT_ID in CI):
► Bootstrap workload identity (gitlab)
✔ Organisation role - iaas-read-access (d6m0b0ngt9dc739sdrn0)
✔ Federated identity provider - already present fip-d6un6sgkknks73bejis0
✔ Service account - already present sa-d6un6sq1t50c73bm7km0 (wif-gitlab-7d52b04e6662e6f7-wlkcl)
✔ Federated identity - already present fi-d6un6t21t50c73bm7kn0
✔ Organisation role binding - already present
wif-key: 7d52b04e6662e6f7
issuer: https://gitlab.com
JWT sub: project_path:group/example:ref_type:branch:ref:main
► Next steps CI configuration (https://docs.thalassa.cloud/docs/iam/oidc/)
--issuer (for example https://gitlab.example.com). Tag pipelines can use --ref-type tag and the tag name as --ref.This is perfect for when you want to provision infrastructure through our Terraform Provider directly from Gitlab CI pipelines.
tcloud iam workload-identity-federation bootstrap is the first step in our approach to improving how you work with the Thalassa Cloud API. We are shifting the default away from long-lived secrets in CI variables, Secret Managers or other configuration tooling, and toward federated identity, short-lived tokens, and token exchange at our OIDC endpoint.
While we continue to support access credentials and personal access tokens, we actively recommend switching over to Workload Identity Federation approach wherever possible.
Note that while bootstrap currently supports Gitlab, Github and Kubernetes, it is possible to also integrate with Keycloak or other OIDC Identity Providers.
For the umbrella command, options, and “see also” links, start with the workload-identity-federation bootstrap overview. If you are new to tcloud, see the CLI documentation for installation and context setup.
