Sign inTry Free

Cloud Workload Identity and Delegated Entities

On this page

Note

This is a Preview feature.

Cloud Workload Identity and delegated entities are currently only available for workspaces deployed on AWS. This feature is not supported on Shared Edition.

Cloud Workload Identity represents a set of additional components (or resources) that are provisioned for each workspace. It consists of Kubernetes and AWS resources and configurations and enables workspace workloads to use IAM Roles for Service Accounts (IRSA) to access cloud resources without long‑lived static credentials. This identity is provisioned for each workspace and is represented by an IAM role ARN. Workloads can use this identity to authenticate to cloud provider services without storing or rotating static credentials.

Note

Cloud workload identity is unique to a workspace group. A workspace inherits the identity configuration from the workspace group that contains it.

Delegated entities are customer-owned AWS IAM roles that a workspace's cloud workload entity is allowed to assume. This enables pipelines and other workloads to access resources such as Amazon S3 using short‑lived credentials instead of AWS access keys.

Configure Delegated Entities

To access cloud resources using cloud workload identity, perform the following tasks:

  1. Get the cloud workload identity ARN for your workspace.

  2. Configure an IAM role in your AWS account.

  3. Add delegated entities.

Note

You can configure a maximum of 20 delegated entities for each workspace group.

You can get the cloud workload identity and configure delegated entities using either the Cloud Portal or the Management API. Once the delegated entities are configured, you can access cloud resources using the ARN of your IAM role. For example, to use cloud workload identity instead of static credentials to load data via S3 pipelines. Refer to Load Data from Amazon Web Services (AWS) S3 for an example.

Get the Cloud Workload Identity ARN for your Workspace

The cloud workload identity value is the IAM role ARN of your workspace, for example: arn:aws:iam::0000000000:role/xxxxxxxxxxxxxx.

Using the Cloud Portal

  1. Log in to the Cloud Portal.

  2. Select <your_deployment> > Security.

  3. Copy the cloud workload identity ARN of your SingleStore workspace specified under Delegated Entities > Configure trust relationship.

Using the Management API

Use the Identity path (/v1/workspaces/{workspaceID}/identity endpoint) in the Management API to obtain the cloud workload identity ARN of your SingleStore workspace. For example:

curl -X 'GET' \
  'https://api.singlestore.com/v1/workspaces/xxxx/identity/' \
  -H 'accept: application/json'

Refer to Management API and Management API Reference for related information.

Configure an IAM Role in your AWS Account

To use delegated entities, configure an IAM role in your AWS account that the workspace's cloud workload identity can assume. Perform the following tasks:

  1. Create an IAM role in your AWS account with the necessary privileges. You can also use an existing IAM role.

  2. Update the IAM role's trust policy to allow the workspace's cloud workload identity to assume the role. Specify the cloud workload identity ARN of your workspace copied earlier. For example:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "<workspace_cloud_workload_identity_arn>"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

Add Delegated Entities

Add delegated entities to your workspace. Once the delegated entities are created, you can access cloud resources without using persistent static credentials.

Using the Cloud Portal

  1. Log in to the Cloud Portal.

  2. Select <your_deployment> > Security.

  3. Under the Delegated Entities section, select Add Entity.

  4. Add the ARN of your IAM role to the delegated entities list. You can also enter a role ARN pattern to match multiple roles that share a common naming pattern, such as arn:aws:iam::987654321098:role/singlestore-*. Patterns provide a flexible mechanism to configure delegated entities.

  5. Save the configuration.

Using the Management API

Use the Delegated Entities path (/v1/workspaces/{workspaceID}/delegatedEntities endpoint) in the Management API to add one or more delegated entities (ARN of your IAM role) to the workspace.

Note

Adding delegated entities at the workspace level also updates the delegated entities for the workspace group that contains it.

You can also view and delete the delegated entities for a workspace. Refer to Management API Reference for more information.

Last modified: January 28, 2026

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In