OIDC Workload Identity Support for Zero-Trust / Sovereign Cloud / Secure AI Factory Deployments

[stevefulme1]

Summary

Ansible Automation Platform is expanding its OIDC Identity Provider capability to enable zero-trust workload identity across the automation ecosystem. AAP-issued short-lived JWT tokens allow running automation jobs to authenticate to external platforms without static credentials — eliminating credential sprawl and meeting sovereign cloud and secure AI factory compliance requirements.

We are evaluating whether purestorage.flasharray can support OIDC workload identity authentication to Pure Storage FlashArray, and would appreciate your input on feasibility.

Context

• Current auth model in this collection: REST API with API token authentication
• Proposed flow: AAP issues a JWT → job presents it to Pure Storage FlashArray → platform validates against AAP's OIDC discovery endpoint → platform grants access
• Use cases: Zero-trust automation, sovereign cloud deployments, secure AI factory infrastructure, regulated environments requiring no static credentials

Questions for Maintainers

1. Does Pure Storage FlashArray support OIDC/OAuth2 token validation from external identity providers today?
2. Could this collection accept a bearer token or JWT as an alternative authentication method?
3. Are there any API endpoints that already support token-based auth that could be leveraged?
4. What level of effort would be required to add OIDC token auth as an option alongside existing auth methods?
5. Are there any architectural constraints in the collection's auth layer that would make this difficult?

References

• AAP OIDC Provider follows the same pattern as GitHub Actions OIDC and GitLab CI ID tokens

We're happy to collaborate on this and can provide technical details about the AAP JWT claims schema and token exchange patterns.