istio.io/content/help/glossary/workload-principal.md

title
Workload Principal

Identifies the verifiable authority under which a workload runs. Istio's service-to-service authentication is used to produce the workload principal. By default workload principals are compliant with the SPIFFE ID format.

• Multiple workloads may share the same workload principal, but each workload has a single canonical workload principal
• Workload principals are accessible in Istio configuration as the source.user and destination.user attributes.