Here's the architecture for MIM services, whose components are described below:
Workload - (machine A) Some software component (like a VM, container, script, application, etc.) that invokes the MIM IDP via the MIM client
MIM Client - Client app that either runs directly on the workload as a linux-compiled binary or as a side-car (Docker container). This client protects the workload's private key, used to authenticate the workload to the MIM IDP as needed. The client also retrieves ID tokens for workload authentication scenarios, sends metadata on its execution environment, and fetches secrets.
MIM IDP - Mosaic's machine identity provider, which manages workload identities. It issues ID tokens, enforces access controls, and fetches secrets as requested by the MIM Client
Resource server - (machine R) Machine that accepts authenticated requests from the workload, and provides access to protected resources
Control plane - (Orchestrator) Admin that manages workloads and issues tickets to register new workload identities and manage their access