add notes on run identity

1 files changed, 20 insertions, 0 deletions

diff --git a/doc/run-identity/README.md b/doc/run-identity/README.md
new file mode 100644
index 0000000..cb9b119
--- /dev/null
+++ b/doc/run-identity/README.md
@@ -0,0 +1,20 @@
+We will be exploring the idea of Run Identity for TFC, and how it could be used
+to automate the authentication of Terraform providers at scale. While our work
+this quarter will determine the eventual solution, one direction that has been
+discussed would be to include a JWT with every run that includes the run's
+workspace and organization in its metadata.
+
+Our overarching goal though is to enable the Vault Provider to be programmatically
+configured to access a Workspace's secrets securely without the need to store
+and manage Vault credentials inside TFC. 
+
+Reference Links:
+
+* [PRD](https://docs.google.com/document/d/1IGSX1eSk6zQw1Fk0LUuJ9KgeEZgQoPg7126NfnQbL1M/edit#)
+* [GitHub Example](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
+
+Related Field Requests:
+
+* [Workspace Authentication (w/ Vault)](https://app.asana.com/0/1118351459439625/1141373083986005)
+* [Vault Provider Authentication in TFE](https://app.asana.com/0/950583539553838/1169207799468041)
+* [[TFE] Cloud Provider Authentication (w/ Vault)](https://app.asana.com/0/1118351459439625/1169212936201843)