pulumi · glena · May 15, 2024 · May 16, 2024 · May 16, 2024 · May 16, 2024
@@ -44,6 +44,19 @@ Agents poll Pulumi Cloud every 30 seconds to check for pending deployments and w
 If you are running the agent inside a firewall ensure to allow outbound requests to api.pulumi.com. Ensure agents have the cloud provider credentials to be able to deploy in your environments.
 {{% /notes %}}
 
+### Leveraging OpenID Authentication
+
+It is possible to use OpenID authentication to fetch Pulumi Pool tokens dynamically instead of configuring a static token for the agents. You must first register the OpenID provider as a trusted OIDC issuer in your Pulumi account, as documented at [OIDC documentation](/docs/pulumi-cloud/oidc/client).
+
+After registering the provider, this other information is required by the agent:
+
+- `organization_name`: your Pulumi Organization name
+- `runner_pool_id`: the pool ID that the instance will connect to
+- `token_expiration` (optional): the expiration in seconds for the tokens requested by the agent
+- `oidc_token_file`: the location of the file where the OIDC token will be recorded
+
+The agent will attempt to read the `oidc_token_file` for a fresh OIDC token and exchange it automatically for a Pulumi token every time the Pulumi token expires.
+
 ## Providing Credentials to Agents
 
 There are two methods to provide cloud provider credentials to the agents: