I Deleted Every Static Claude API Key I Owned. Here’s the Keyless Migration, Provider by Provider.

Author(s): Anup Karanjkar Originally published on Towards AI. Workload Identity Federation just hit GA — the per-provider setup, and the precedence trap that cost me two quiet days Last Tuesday I went looking for every static Claude API key I owned, and stopped counting at eleven. The author recounts migrating from long-lived static Claude API keys to keyless authentication using Workload Identity Federation (WIF), emphasizing that federation doesn’t truly “delete” the secret—it moves trust and credentials upstream to the identity provider. They explain how the system works (issuer, service account, federation rule; runtime JWT exchange to short-lived access tokens), then share the critical migration gotcha: the SDK’s credential precedence chain means that if an environment variable like ANTHROPIC_API_KEY is still present anywhere, it will silently override WIF and make the migration appear successful while doing nothing. The post provides a reliable no-downtime cutover sequence (configure federation in parallel, verify with ant auth status, remove the key everywhere, confirm federation wins, then revoke), and gives guidance for setting tight match conditions per provider (GitHub Actions, Kubernetes, AWS, GCP, Entra/Okta) to avoid wildcard rules. Finally, it stresses what WIF doesn’t solve—upstream IdP misconfiguration, lack of attestation for runtime workload identity, and limited auditability across governance frameworks—so “keyless” must be paired with proper IdP security and auditing of the trust hop you can’t see. Read the full blog for free on Medium. Join thousands of data leaders on the AI newsletter. Join over 80,000 subscribers and keep up to date with the latest developments in AI. From research to projects and ideas. If you are building an AI startup, an AI-related product, or a service, we invite you to consider becoming a sponsor. Published via Towards AI