Access without long-lived keys
Short-lived kubectl. No static cloud keys at runtime.
wf access cluster issues a short-lived kubectl session scoped to the developer's namespace. Workloads reach AWS, Azure or GCP via OIDC trust. No long-term keys in the cluster or on a laptop.
wf access cluster - time-bound kubeconfig mapped to Kubernetes RBAC
wf access namespace - a namespace on a chosen cluster, mapped to your workspace role
- Workloads authenticate to cloud APIs via OIDC trust, not keys
For the platform team's side of the same story - per-workload IAM, the audit trail, the policy gates - see Security.