Problem
The prebuilds system user has a hardcoded email (prebuilds@system) and username (prebuilds). In enterprise environments with mTLS or certificate-based authentication, this is a blocker for running warmup scripts that need to authenticate to internal services during the prebuild phase.
Use Case
Our workspace warmup includes accessing a service secured with mTLS. To obtain device certificates from our internal CA:
- The certificate CN must match a valid corporate email (e.g.
*@company.com).
- A certificate auth lambda validates that the requested CN matches tags on the EC2 instance set in the template terraform.
- This warmup step is the longest part of provisioning — re-running it after claim defeats the purpose of prebuilds.
The current prebuilds@system email cannot pass these identity checks without special-casing downstream auth infrastructure, which is undesirable.
Proposed Solution
Allow administrators to configure identity attributes (at minimum email, optionally name) for the prebuilds system user, either via:
- Server configuration flags / environment variables
- An admin API endpoint
- Deployment settings in the dashboard
The prebuilds user UUID and internal system behavior should remain unchanged — only the externally-visible identity metadata needs to be configurable.
Impact
This likely affects any enterprise deployment using zero-trust / mTLS / cert-based auth where identity is validated during workspace provisioning or warmup.
Problem
The prebuilds system user has a hardcoded email (
prebuilds@system) and username (prebuilds). In enterprise environments with mTLS or certificate-based authentication, this is a blocker for running warmup scripts that need to authenticate to internal services during the prebuild phase.Use Case
Our workspace warmup includes accessing a service secured with mTLS. To obtain device certificates from our internal CA:
*@company.com).The current
prebuilds@systememail cannot pass these identity checks without special-casing downstream auth infrastructure, which is undesirable.Proposed Solution
Allow administrators to configure identity attributes (at minimum
email, optionallyname) for the prebuilds system user, either via:The prebuilds user UUID and internal system behavior should remain unchanged — only the externally-visible identity metadata needs to be configurable.
Impact
This likely affects any enterprise deployment using zero-trust / mTLS / cert-based auth where identity is validated during workspace provisioning or warmup.