GitHub Actions OIDC
Rotation: Per workflow run, automatic
The lowest-friction path off long-lived API keys for any agent that runs in CI. Cloud providers (AWS, Azure, GCP) all accept GitHub's OIDC token directly.
Attestation primer
An agent's identity is only as strong as the platform that vouches for it. Attestation is the mechanism by which a workload proves what it is, rather than asserting it. The six options below are the ones a builder is most likely to wire up first, ranked by operational lift relative to the trust-root strength they provide.
| Surface | Best for | Binds to | TTL | Trust root |
|---|---|---|---|---|
| GitHub Actions OIDC | CI/CD agents, build-time tooling, deploy workflows | Repository + workflow + ref + job + environment | ≤ 6 hours (default 15 min) | GitHub OIDC issuer JWKS |
| AWS Nitro Enclave attestation | High-sensitivity agents (financial, PII, key custody) | Enclave image hash (PCRs), parent instance, region | Attestation document signed at request time | AWS Nitro root of trust certificate chain |
| Azure managed identity | Agents on Azure compute (App Service, Functions, AKS, VMs) | Azure resource ID + tenant + subscription | ≤ 24 hours, refreshed automatically | Microsoft Entra ID |
| GCP Workload Identity Federation | Agents that run outside GCP and need GCP API access | External issuer + claim mapping rules | ≤ 12 hours (configurable) | External OIDC issuer + WIF pool policy |
| TPM 2.0 quote | On-prem agents, edge devices, hardware roots of trust | TPM endorsement key + PCR set + boot measurements | Quote signed at request time | TPM manufacturer EK certificate |
| Apple App Attest | Agents that ride along inside an iOS/macOS client | App bundle ID + device hardware key | Per assertion | Apple Anonymous Attestation CA |
Notes per surface
AWS Nitro Enclave attestation
Rotation: Per attestation request
Hardware-backed. The attestation document includes PCR measurements of the enclave image, so a runtime modification of the agent invalidates the proof.
Azure managed identity
Rotation: Platform-managed
System-assigned identity is the simplest pattern; user-assigned identity is required when multiple workloads share an identity intentionally (most agents should be system-assigned).
GCP Workload Identity Federation
Rotation: Per token exchange
Lets a GitHub OIDC token, AWS STS token, or any RFC 7519 JWT be exchanged for a Google access token without storing a service-account key.
TPM 2.0 quote
Rotation: Per quote
Most rigorous attestation surface available without going to a TEE; also the highest operational lift. Worth it for agents that hold key material on the host.
Apple App Attest
Rotation: Per assertion
The right primitive for endpoint-resident assistants. Less common in server-side agent stacks but increasingly relevant as agents move into client apps.
How to pick
- Most agents in CI today: GitHub Actions OIDC. Lowest-friction path off long-lived API keys; AWS, Azure, GCP all accept GitHub's OIDC tokens directly via federation.
- Agents on cloud compute: use the platform-native identity (Azure managed identity, AWS IAM Roles Anywhere or IRSA/Pod Identity, GCP WIF).
- Agents that touch sensitive data: AWS Nitro Enclave attestation or Azure Confidential Compute. The PCR measurement binds to the exact runtime image.
- On-prem or edge agents: TPM 2.0. Highest lift, highest trust-root strength.
- Endpoint-resident agents: Apple App Attest on Apple platforms; Play Integrity on Android.
Anti-pattern to avoid
A long-lived API key in a config file with no platform attestation, no sender-constraint, and no act claim on the issued token. This is the modal agent identity setup in 2026 and the one that shows up in incident reports first. The fix is not "rotate the key more often" — the fix is to retire the long-lived key class entirely and federate against one of the surfaces above.