Skip to content

About authentication

Connection for Next-Gen Trust Security (Connection resource) authenticates to NGTS through a Built-in Account using a private key JSON Web Token (JWT) or Workload Identity Federation (WIF).

Private key JWT

With private key JWT, Connection resource reads a private key from a Kubernetes Secret, signs a short-lived JWT, and exchanges it for an Open Authorization (OAuth) bearer token. When you create a Built-in Account, NGTS generates the private key or you supply your own key pair.

Setup is once per cluster, per component. After that, Connection resource automatically generates and renews tokens.

Workload Identity Federation

With WIF, Connection resource requests a ServiceAccount token from the Kubernetes API and sends it to NGTS for validation. Kubernetes acts as the OIDC provider, so no secret material is stored in the cluster.

When you create the Built-in Account, you configure it to trust the cluster's OIDC issuer by providing the issuer URL, subject, and audience.

What's next?

Configure Connection resource to authenticate with NGTS using either private key JWT or Workload Identity Federation.