Setting up Workloads¶
This page covers creating and managing Workloads in the Zaita portal and granting them access to Lockers.
Creating a Workload¶
- Navigate to Secrets → Workloads.
- Click Add Workload.
- Enter a Name and optional Description for the Workload.
- Select the Authentication Method from the dropdown. The form will update to display the configuration fields required for the chosen method.
- Complete the authentication configuration (see Authentication).
- Click Save.
For client_secret and pki_certificate methods, the platform generates a Client ID at creation time. For client_secret, the Client Secret is displayed once immediately after creation — copy it now, as it cannot be retrieved later.
Editing a Workload¶
- Navigate to Secrets → Workloads.
- Click the Workload name to open its detail view.
- Edit the Name, Description, Status, or Authentication Configuration as required.
- Click Save.
Regenerating Credentials¶
For client_secret Workloads, you can regenerate the Client Secret at any time:
- Open the Workload detail view.
- Click Regenerate Client Secret.
- Confirm the action. The new secret is displayed once — copy it immediately.
The previous Client Secret is invalidated immediately upon regeneration. Update the Workload's configuration before regenerating to avoid downtime.
Updating a Certificate¶
For pki_certificate Workloads, you can upload a replacement certificate:
- Open the Workload detail view.
- Paste the new PEM-encoded X.509 certificate into the Certificate field.
- Click Update Certificate.
The platform extracts and stores the certificate's fingerprint for use in authentication checks.
Disabling a Workload¶
Rather than deleting a Workload, you can set its Status to Inactive. An inactive Workload's credentials are rejected by the API without removing its configuration or access grants. This is useful for temporarily suspending access during an incident or maintenance window.
Deleting a Workload¶
- Open the Workload detail view.
- Click Delete Workload.
- Confirm the deletion.
All Locker access grants for the deleted Workload are removed. Applications using the Workload's credentials will immediately lose access to secrets.
Granting a Workload Access to a Locker¶
A Workload must be explicitly granted access to each Locker it needs to read. Access is managed through the Locker's Workload Access tab:
- Navigate to Secrets → Inventory and open the Locker.
- Select the Workload Access tab.
- Click Grant Access and select the Workload.
- Click Grant.
To revoke access, click Revoke on the Workload's row in the same tab.
See Managing Lockers and Secrets for full access management instructions.
Targeting a Bridge¶
A Workload can retrieve secrets from a Bridge's local cache instead of the SaaS platform. No portal configuration is required — the Bridge automatically serves the secrets that sit at the intersection of:
- The Workload's existing Locker access grants.
- The Lockers currently assigned to that Bridge's cache.
To configure a Workload to use a Bridge, change the base URL in the Workload's API calls from the SaaS endpoint to the Bridge's address:
| Target | Base URL |
|---|---|
| SaaS | https://<tenant>.zaita.io |
| Bridge | https://<bridge-host> |
The API path and request format remain identical. For example, to download all accessible Lockers via a Bridge:
POST https://<bridge-host>/api/v1/workload/lockers/download-all
Authorization: Bearer <client_id>:<client_secret>
The Bridge presents its own TLS certificate, managed automatically by the Zaita Bridge agent. The Workload should trust the Bridge's certificate as it would any internal service endpoint.
If a requested Locker is not cached on the Bridge — even if the Workload has a valid access grant — the Bridge returns a 404 Not Found response. Assign the Locker to the Bridge cache via the Locker's Bridge Cache tab to make it available.
Audit Events¶
SaaS Events¶
| Event | Description |
|---|---|
workload.created |
A new Workload was registered |
workload.updated |
A Workload's configuration was modified |
workload.deleted |
A Workload was deleted |
workload.credentials_regenerated |
Client Secret was regenerated |
workload.locker.download.success |
Workload successfully downloaded a Locker from the SaaS |
workload.locker.download.unauthorised |
Workload attempted to access a Locker it is not authorised for |
Bridge Events¶
Bridge-side events are generated locally by the Bridge and forwarded to the platform audit log during the next heartbeat cycle.
| Event | Description |
|---|---|
bridge.workload.auth.success |
Workload authenticated to the Bridge successfully |
bridge.workload.auth.failed |
Workload authentication against the Bridge failed |
bridge.workload.locker.download.success |
Workload successfully downloaded a Locker from the Bridge |
bridge.workload.locker.download.unauthorised |
Workload attempted to access a Locker it is not authorised for, or that is not cached on this Bridge |
Next Steps¶
- Authentication — configure the Workload's authentication method.
- Managing Lockers and Secrets — manage Locker access grants.
- Best Practices for Workloads — authentication selection and access scoping.