Best Practices for Workloads¶
Choose the Right Authentication Method¶
Prefer credential-less authentication methods wherever your environment supports them. Credential-less methods eliminate static secrets that must be rotated and reduce the risk of credential exposure.
| Method | Credential-less? | Recommended When |
|---|---|---|
spiffe_spire |
Yes | Service mesh or SPIFFE/SPIRE infrastructure already deployed |
azure_jwt |
Yes | Workload runs in Azure (VM, AKS, App Service) |
azure_arc |
Yes | On-premises or edge server enrolled in Azure Arc |
oidc_oauth2 |
Yes | Custom or internal OIDC-compatible identity provider available |
pki_certificate |
No | Existing PKI infrastructure; environments without an OIDC provider |
client_secret |
No | Development, testing, or environments with no other option |
Reserve client_secret and pki_certificate for environments where credential-less methods are genuinely unavailable. If you use client_secret, rotate the secret on a regular schedule and treat it with the same care as a database password.
Scope Access to the Minimum Required Lockers¶
Grant each Workload access only to the Lockers it actually needs. A Workload that has access to five Lockers when it only reads from one represents unnecessary exposure. Review access grants regularly and revoke any that are no longer required.
Use the Locker's Workload Access tab to audit which Workloads have access to each Locker.
Use Inactive Status for Temporary Suspension¶
If a Workload needs to be temporarily disabled — during an incident investigation, deployment freeze, or maintenance window — set its Status to Inactive rather than deleting it. This preserves configuration and access grants for re-enablement while immediately blocking access.
Choosing Between SaaS and Bridge Authentication¶
Direct SaaS authentication is the right default for cloud-native Workloads. Target a Bridge when the Workload has specific availability or latency requirements that the SaaS cannot meet.
| Use SaaS when… | Use a Bridge when… |
|---|---|
| The Workload runs in a cloud environment with reliable SaaS connectivity | The Workload runs on-premises or at the edge, co-located with a Bridge |
| Centralised audit logging is required in real time | Secrets retrieval must survive temporary SaaS outages |
| No on-premises Bridge exists or is warranted | Network latency to the SaaS is a concern |
| Multiple on-premises Workloads share the same Lockers |
When targeting a Bridge, ensure the Lockers required by the Workload are assigned to that Bridge's cache. If a Locker is not cached, the Bridge will return a 404 even if the Workload has a valid access grant. See Setting up Bridges for instructions on assigning Lockers to a Bridge cache.
Offline-Capable Bridge Access¶
If the Workload must continue to authenticate when neither the SaaS nor an external identity provider is reachable, use client_secret or pki_certificate. The Bridge validates both methods entirely from its in-memory credential data, with no external calls required.
For all other authentication methods (azure_jwt, azure_arc, spiffe_spire, oidc_oauth2), the Bridge must be able to reach the external identity provider to validate the token. If the identity provider is unreachable, authentication fails.
Handle Authentication Failures Gracefully¶
Applications consuming secrets via the Workload API should handle authentication failures and network errors with appropriate backoff and alerting. A Workload failure means the application cannot retrieve secrets — design for this case rather than crashing.
Monitor for Unauthorised Access¶
The audit log records every secrets download attempt, including workload.locker.download.unauthorised events. Alert on unexpected patterns — unauthorised attempts may indicate misconfigured access grants or credential misuse.
Next Steps¶
- Setting up Workloads — create Workloads and grant Locker access.
- Authentication — configure authentication methods.
- Introduction to Workloads — overview of the Workload delivery model.