TL;DR: Federated workload identity fails silently when trust policies rely on org-level or wildcard claims. Exact-match issuer and subject validation prevents it. The token looks valid, the exchange succeeds, and a non-production workload authenticates against production resources. Pin the trust policy to a specific issuer URL and subject pattern. Log every cross-tenant token acceptance. Enforce deny-by-default for any claim that isn't explicitly allowlisted.
Key Takeaways: - The failure mode is silent. The token has a valid signature, audience, and subject. So observability tooling treats the exchange as successful. - The trust leak lives in two claims: `iss` (issuer) and `sub` (subject). Most teams verify signature and expiry. They skip claim-level inspection across token exchange hops. - Zero trust applied to workload identity means every token acceptance is re-evaluated against the current trust policy. It is not trusted from initial registration.
The Quiet Failure: When Workload Identity Federation Trusts the Wrong Tenant

Your workload identity federation passed every integration test. Your auditor signed off. Then a CI pipeline in a sibling project authenticated against your production tenant. Nobody noticed.
This isn't a hypothetical. It's the most common failure pattern in federated cloud security audits. It shows up across multi-tenant cloud environments. The federation looks correct. The OIDC provider is registered. The trust policy exists. The problem is what the trust policy actually matches against.
Federated workload identity often inherits trust from a parent project, org, or cluster. A token issued in a non-production environment gets accepted by production resources. Why? Because the trust policy was configured at the org level, not the workload level. No one touched a misconfigured policy. The policy was always permissive. It just looked restrictive in the console.
The failure mode is silent because the token is structurally valid. It has a signature from a trusted IdP. It has an audience claim that matches the receiving service. It has a subject claim that names a real workload.
Existing observability tooling sees a successful exchange. It logs it as green. Nothing fires an alert.
Real incidents trace back to mismatched issuer and subject claims in the external token. These are the fields the trust policy was supposed to validate. They rarely get inspected deeply. The signature check passes. The expiry check passes. The audience check passes.
Nobody checks whether the issuer URL points to the org or a sibling project within the org. Nobody checks whether the subject pattern is specific enough to exclude adjacent namespaces.
This is a pattern we've seen across enterprise deployments in regulated industries. Federated identity boundaries are routinely audited there. The boundary looks drawn on paper. In the IAM layer, it's a dotted line.
If the failure is this quiet, why don't standard CI checks and audit pipelines catch it before tokens cross tenant boundaries?
Why Token Exchange Hides the Mistake
Most federated setups exchange the original token for a cloud-native access token. This happens before the workload reaches the target resource. This exchange is where the trust leak hides.
Federated access tokens often get exchanged for unrestricted tokens before reaching the target. The exchange step strips the original audience and subject context. This is the context the trust policy was meant to inspect. The receiving tenant never sees the original `iss` and `sub` claims. It sees a freshly minted native token issued by the cloud's own STS-equivalent service.
Most teams verify only the token signature and expiry. They don't verify the chain of claims connecting the original issuer to the destination tenant. The exchange is treated as a black box. As long as the new token has a valid signature from the cloud's own identity service, the original claims are considered irrelevant.
The hop pattern matters. Service account impersonation in Google Cloud, managed identity chaining in Azure, and role assumption in AWS all introduce extra hops. These are hops where tenant context can be lost or substituted. Each hop is a chance for the original trust boundary to dissolve.
1# A typical federated trust policy that hides the problem2federated_identity_credential:3 issuer: "https://token.actions.githubusercontent.com"4 subject: "repo:my-org/*:environment:production" # wildcard match5 audience: "https://iam.googleapis.com"
The wildcard in the subject pattern accepts tokens from any repo under the org. It does not accept only the specific repo the security team intended. The issuer is correct. The signature is valid. The audience is right.
But the subject match is loose enough to admit tokens from sibling projects. That includes non-production CI pipelines.
This is the kind of gap that zero trust architecture is supposed to close. The problem is most teams apply zero trust to user identity. They stop at the workload boundary.
The token exchange layer obscures the problem. The root cause lives in two specific claims. Almost nobody validates them end-to-end.
Issuer and Subject Claims: The Actual Mechanism Behind the Trust Leak
Two claims carry the entire trust decision. The `iss` claim tells the receiving tenant which external IdP minted the token. The `sub` claim identifies the specific workload within that IdP. If either drifts from what the trust policy expects, the token gets accepted by a tenant that should reject it.
Here's how the wrong-tenant trust forms in practice:
1// Token from a non-production CI pipeline2{3 "iss": "https://token.actions.githubusercontent.com",4 "sub": "repo:my-org/staging-pipeline:environment:staging",5 "aud": "https://iam.googleapis.com",6 "exp": 17200000007}
The `iss` claim points to the org-level OIDC provider. The `sub` claim names a specific repo. A pattern like `repo:my-org/:environment:production` looks restrictive because it pins the environment, but the wildcard in the repo segment still admits any repo under the org. The real failure appears with even broader patterns, such as `repo:my-org/:ref:refs/heads/main`. The staging pipeline's `sub` ends with `:environment:staging`. The exchange layer or a permissive policy variant accepts the wider match.
A more common pattern: the OIDC provider is configured at the org level. So tokens from any project under that org are accepted. They are accepted as if they came from the trusted project. This is the wrong-tenant trust. The receiving tenant sees a valid token from a trusted org. It assumes the workload is authorized.
Workload identity federation in Microsoft Entra, Google Cloud, and AWS IAM relies on exact matching of these claims. Any wildcard or prefix match widens the blast radius. It widens it beyond what the security team intended.
A `repo:my-org/` match in GitHub Actions OIDC means every repo in the org can mint tokens. The receiving tenant will accept them. A `system:serviceaccount:` match in Kubernetes OIDC means every service account in the cluster can authenticate.
The fix is to pin the trust policy to a specific issuer URL and a specific subject pattern. Also, reject tokens whose claims don't match the registered federation identity. This is what most teams think they're doing. They're not. They're configuring wildcards. Exact matches are harder to maintain across CI pipelines, branch promotions, and environment-specific deploys.
Knowing the mechanism is half the battle. The other half is configuring OIDC federation so the trust boundary matches the boundary your security team actually drew.
Configuring OIDC Federation Without the Trust Leak

The configuration is straightforward. The discipline is not. Most teams skip the audit step. They go straight to registering an OIDC provider. They do this without mapping the existing trust policies to specific claim patterns.
Step one: enumerate every external IdP currently trusted by your cloud IAM. Map each trust policy to the specific issuer URL and subject identifier it accepts. Reject any policy that uses wildcards or prefix matches. This is a manual audit. It's the only way to know where your trust boundaries actually sit.
1# Terraform: exact-match claim validation for OIDC federation2resource "google_iam_workload_identity_pool_provider" "github_prod" {3 workload_identity_pool_id = "github-pool"4 display_name = "GitHub Actions - Production Only"5 attribute_condition = <<-EOT6 assertion.repository == "my-org/prod-pipeline" &&7 assertion.repository_owner == "my-org" &&8 assertion.ref == "refs/heads/main" &&9 assertion.environment == "production"10 EOT11 oidc {12 issuer_uri = "https://token.actions.githubusercontent.com"13 }14}
The `attribute_condition` block enforces exact-match claim validation. Tokens from sibling repos, different branches, or staging environments are rejected at the IAM layer. They are rejected before they reach the exchange step.
Step two: configure the federated identity credential for workload identity federation scenarios (GitHub Actions, Kubernetes, external compute). Require exact-match claims. Disable token exchange paths that strip the audience. The exchange endpoint must validate the original `iss` and `sub` against a per-tenant allowlist before minting any new token.
Step three: enforce that federated access tokens used with unsupported services must go through the exchange layer. The exchange layer needs its own trust policy, separate from the cloud IAM trust policy, and must validate the original issuer and subject against a per-tenant allowlist before minting any new token.
Step four: instrument the IAM trust evaluation path. Log every cross-tenant token acceptance. Alert on any token whose `iss` or `sub` does not match the expected pattern for the receiving tenant. This log is also the audit artifact. Your IAM and Kubernetes teams need it to prove boundary enforcement.
Configuration alone won't satisfy an auditor who asks how you prove the boundary holds under pressure. That requires continuous verification.
Zero Trust Audits: Verifying Tenant Boundaries in Federated Setups
Zero trust architecture operates on the principle of never trust, always verify. Applied to workload identity, this means every token acceptance is re-evaluated against the current trust policy. It is not cached from initial registration.
Cloud audit compliance fails when auditors discover a federated identity from a non-production tenant can access production data planes. The control framework expects tenant-level isolation to be enforced at the IAM layer. A trust policy that inherits from the org hierarchy fails this control. A trust policy with wildcard subject matching fails this control. A token exchange path that strips the original claims fails this control.
Continuous verification requires three things: - A live registry of trusted issuer-subject pairs, updated every time the OIDC provider configuration changes. - Automated drift detection when OIDC provider metadata changes, so a silent update to the IdP's claim format doesn't go unnoticed. - A deny-by-default policy for any token whose claims are not explicitly allowlisted, with no exceptions for "trusted" orgs or projects.
This is the same pattern applied in zero trust architecture for service mesh identity. It's adapted for cloud-native workload identity. The boundary is the claim pattern, not the network segment. The verification happens at token evaluation time, not at policy registration time. The devops team owns the registry, not just the pipeline.
The common thread is that the trust boundary is documented as a claim pattern. It is not inferred from project hierarchy. Auditors can read it. Security teams can verify it. Engineering teams can reproduce it.
With the boundary enforced and audited, the operational shift becomes visible. It becomes visible in incident response, blast radius, and the kind of evidence you can hand to a regulator.
What Changes When Federation Trusts Correctly
Incident response shifts. You stop chasing phantom access events in logs. Why? Because the IAM layer rejects them before they reach data planes. The token never makes it past the trust evaluation step. The alert is the rejection, not the downstream access attempt.
Audit cycles compress. Trust boundaries are documented as exact-match claim policies. They are not inferred from project hierarchy. Auditors don't need to trace org structures to figure out what a token can access. They read the claim pattern and know.
Cross-cloud workload identity federation becomes safe to scale. AWS to Azure. GCP to Azure. GitHub Actions to any of them. The same claim validation pattern applies across providers. Why? Because `iss` and `sub` are OIDC-standard claims, not provider-specific. A workload migrating from one cloud to another carries its trust boundary with it. Federated cloud migration projects stop being security incidents waiting to happen.
The shift is small in code, large in consequence. The trust boundary moves from implicit to explicit. It moves from org-level to workload-level. It moves from registered to continuously verified. That's the difference between a federation that passes integration tests and a federation that holds up under audit.
Map your trust policies to exact-match claims this week, starting with the tenant that has the most cross-environment federation traffic.
Frequently Asked Questions
Q: What causes federated workload identity to trust the wrong tenant?
A: Mismatched issuer and subject claims in the external token. When the OIDC trust policy uses wildcards, prefix matches, or org-level configurations instead of exact-match claim validation, tokens from a sibling project or non-production tenant can be accepted by production resources.
Q: How does workload identity federation work across cloud providers?
A: Workload identity federation lets a software workload running on one platform exchange a token from an external IdP for a cloud-native access token. The receiving cloud validates the issuer URL and subject claim against its trust policy before issuing credentials.
Q: Can a federated access token be used directly, or does it need to be exchanged?
A: It depends on the service. Some services accept federated tokens directly. Others require you to exchange the federated access token for an unrestricted token before the request can proceed. The exchange step must itself validate the original issuer and subject claims.
Q: How does zero trust architecture apply to workload identity?
A: Zero trust means every token acceptance is continuously re-verified against the current trust policy. It is not trusted based on initial registration. Applied to workload identity, this requires exact-match claim validation, deny-by-default policies, and drift detection on OIDC provider metadata.
Q: What audit evidence proves federated tenant boundaries are enforced?
A: Auditors expect three artifacts: a registry of trusted issuer-subject pairs per tenant, logs of every cross-tenant token acceptance with claim-level detail, and automated alerts on any token whose `iss` or `sub` does not match the allowlist. Without these, federated setups fail cloud audit compliance reviews.
Sources
Research and references cited in this article:
- Troubleshoot Workload Identity Federation | Identity and Access Management (IAM) | Google Cloud Documentation
- Troubleshoot workload identity service connections - Azure Pipelines | Microsoft Learn
- Fix Firebase Deploy Failures Caused by Workload Identity Federation Issues
- Troubleshooting - Azure AD Workload Identity
- Azure DevOps Workload Identity Federation Fix Guide
- Zero-Trust Architecture: How to Move From Network ...
- Implement zero trust | Cloud Architecture Center | Google Cloud Documentation
- Zero trust architecture - Article
- Zero Trust in 2026: Principles, Technologies & Best Practices
- Implementing a Zero Trust Architecture | BigID
- The Common Cloud Misconfigurations That Lead to Cloud Data Breaches
- Cloud Misconfiguration: Risks, Examples, and Best Practices for Compliance
About the author
Mayank Singh is a software developer at Levitation Infotech, where he builds web and AI-powered applications across the company’s fintech, healthcare, and enterprise projects.
