Issue workload identities on distributed runners

api/runner/rpc.yml

@@ -159,6 +159,47 @@ interfaces:
             type: string
             doc: Error message if removal failed
 
+      - name: WorkloadIssuerInfo
+        index: 6
+        doc: |
+          Report whether the coordinator has a workload identity issuer
+          configured, and its issuer URL. Distributed runners call this once at
+          startup to decide whether to mint workload identity tokens via the
+          coordinator.
+        results:
+          - name: enabled
+            type: bool
+            doc: Whether a workload identity issuer is configured on the coordinator
+          - name: issuer_url
+            type: string
+            doc: The issuer URL (iss claim anchor) when enabled
+
+      - name: IssueWorkloadToken
+        index: 7
+        doc: |
+          Mint a workload identity token for a sandbox. Distributed runners,
+          which do not hold the cluster signing key, call this to obtain tokens
+          signed by the coordinator. The application identity is derived from the
+          sandbox by the coordinator, not supplied by the caller.
+        parameters:
+          - name: sandbox_id
+            type: string
+            doc: Sandbox ID the token is issued for
+          - name: audience
+            type: list
+            element: string
+            doc: Optional token audiences (defaults to "miren" when empty)
+          - name: ttl_seconds
+            type: int64
+            doc: Optional token TTL in seconds (0 uses the issuer default)
+        results:
+          - name: token
+            type: string
+            doc: The signed workload identity token (JWT)
+          - name: error
+            type: string
+            doc: Error message if issuance failed
+
 types:
   - type: InviteInfo
     doc: Information about a runner invite