OIDC Federation

Connecting a cloud account via OIDC avoids long-lived static credentials. The DriftWise scan worker presents a short-lived JSON Web Token (JWT) to your cloud, which validates it against the trust configuration you set up.

Each cloud uses this slightly differently:

AWS and Azure validate the JWT's iss, sub, and aud claims against the OIDC provider / federated credential you register.
GCP uses service-account impersonation instead — you grant DriftWise's backend service account permission to impersonate a service account in your project.

Follow the per-cloud setup guide:

Production trust configuration values

DriftWise's scan worker runs on Google Kubernetes Engine, so the identity tokens it presents to your cloud are signed by Google. Use the following values when configuring trust in app.driftwise.ai (production):

Value	Production value	Used by
Issuer URL	`https://accounts.google.com`	AWS (`--url`), Azure (`issuer`)
Subject	`<SUBJECT>` — see note below	AWS (`sub` condition, recommended), Azure (`subject`)
Audience	`https://app.driftwise.ai/federation`	AWS (`--client-id-list` + `aud` condition), Azure (`audiences`)
Service Account email	`[email protected]`	GCP (`iam.serviceAccountTokenCreator` member)

Looking up <SUBJECT>

The sub claim is the DriftWise backend service account's numeric unique ID, assigned by Google at creation time and stable for the lifetime of the service account. Copy the value from the View trust configuration details panel in the Add Account form, or from GET /api/v2/federation-info — see How to retrieve them below.

Self-hosted or non-production deployments

The values above are for the hosted app.driftwise.ai service. If you run DriftWise in a different environment (dev, staging, or self-hosted), fetch the values directly from that deployment — see How to retrieve them below.

How to retrieve them

From the UI

Open Cloud Scan → + Add Account and pick your cloud.
Select an OIDC credential type (OIDC Federation for AWS/Azure, Workload Identity for GCP).
Expand View trust configuration details. Copy the values shown into your cloud's CLI commands.

From the API

For platform admins only:

curl -H "x-api-key: $DRIFTWISE_API_KEY" \
  https://app.driftwise.ai/api/v2/federation-info

Returns:

{
  "issuer_url": "https://accounts.google.com",
  "subject": "<21-digit numeric ID>",
  "audience": "https://app.driftwise.ai/federation",
  "service_account_email": "[email protected]"
}

The endpoint returns 503 Service Unavailable when the deployment was booted without federation env vars set, and 403 Forbidden to non-admin callers.

Production trust configuration values​

How to retrieve them​

From the UI​

From the API​

Production trust configuration values

How to retrieve them

From the UI

From the API