Workload Identity and Service-to-Service Authentication
RCCE students will learn how applications, containers, serverless functions, and automation workflows authenticate securely without relying on long-lived shared secrets. RCCE students will learn to design workload identity models, use short-lived credentials, protect service trust, reduce machine-to-machine attack surface, and integrate strong authentication into cloud-native application architectures. The course covers practical scenarios ranging from workload onboarding to trust establishment, credential rotation, and abuse prevention. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Workload Identity and Service-to-Service Authentication
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn — covering Course Structure.
- Integrate privilege controls with identity providers and SIEM telemetry
- Execute hands-on tasks for key properties — covering Non-human identity assigned to software, Ephemeral — short-lived by design.
- Execute hands-on tasks for containers / pods — covering Kubernetes ServiceAccounts, Projected token volumes.
- Execute hands-on tasks for serverless functions — covering Execution role binding, Event-source trust chain, Instance metadata service.
- Execute hands-on tasks for kubernetes serviceaccounts — covering Projected token volumes.
- Execute hands-on tasks for vms / instances — covering Instance metadata service, Platform-issued certs.
- Execute hands-on tasks for ci/cd pipelines — covering OIDC federation to cloud, Short-lived deploy tokens.
| Module 01 | Course Overview |
| Module 02 | What You Will Learn |
| Module 03 | Why Workload Identity Matters |
| Module 04 | Key Properties |
| Module 05 | Human Identity |
| Module 06 | Machine/Workload Identity |
| Module 07 | Workload Identity Taxonomy |
| Module 08 | Containers / Pods |
| Module 09 | Serverless Functions |
| Module 10 | Kubernetes ServiceAccounts |
| Module 11 | VMs / Instances |
| Module 12 | CI/CD Pipelines |
| Module 13 | SPIFFE Framework Overview |
| Module 14 | Secure Production Identity Framework |
All hands-on labs run on Rocheston Rose X OS. Students practice workload identity and service-to-service authentication by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Explain Course Overview fundamentals
- Lab 2: Execute hands-on tasks for what you will learn
- Lab 3: Integrate privilege controls with identity providers and SIEM telemetry
- Lab 4: Execute hands-on tasks for key properties
- Lab 5: Integrate privilege controls with identity providers and SIEM telemetry
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Workload Identity and Service-to-Service Authentication, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI