TL;DR
Stop storing static cloud secrets in CI/CD. Use GitHub OIDC + AWS STS to authenticate using identity, not passwords.
Why This Matters (A Real Problem)
For years, CI/CD pipelines have relied on static cloud credentials:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
Even when stored in secret managers, these credentials create long-lived attack surfaces.
What usually goes wrong?
- Secrets accidentally committed to GitHub
- Leaked through logs or misconfigured pipelines
- Keys valid for months or years
- Manual rotation (often forgotten)
A leaked AWS key in a public repo can be exploited within minutes by automated bots.
This is why the industry is moving toward identity-based security.
The Shift: Credentials → Identity
Traditional security answers:
“Do you have the key?”
Modern security asks:
“Who are you, and can you prove it right now?”
This is the foundation of workload identity federation.
Airport security analogy ✈️
| Old Model | New Model |
|---|---|
| Permanent key | Passport (identity) |
| Unlimited access | Boarding pass (temporary) |
| Trust forever | Trust just-in-time |
What Is OIDC?
OpenID Connect (OIDC) is an identity protocol built on OAuth 2.0.
In CI/CD:
- GitHub becomes the Identity Provider
- AWS becomes the Identity Verifier
- Authentication happens using signed JWT tokens
- No secrets are stored anywhere
🧠 High-Level Architecture
What’s Inside the OIDC Token?
The JWT issued by GitHub contains claims like:
- Repository name
- Organization
- Branch or tag
- Workflow reference
AWS verifies:
- Token signature
- Issuer (
token.actions.githubusercontent.com) - Audience (
sts.amazonaws.com) - Repository & branch constraints
Why This Is More Secure
🔥 Short-Lived Credentials
- Tokens expire in minutes
- Stolen tokens are useless almost immediately
🎯 Granular Access Control
-
Restrict access to:
- A specific repo
- A specific branch
- A specific environment
🔄 Automatic Rotation
- New credentials per job
- Zero operational overhead
📜 Superior Auditability
- Every action is traceable in AWS CloudTrail
- Tied back to a specific GitHub workflow run
🛠 Implementation Guide
Step 1: Create an OIDC Identity Provider in AWS
In AWS IAM:
- Identity providers → Add provider
- Provider type: OpenID Connect
- Provider URL:
https://token.actions.githubusercontent.com
- Audience:
sts.amazonaws.com
This allows AWS to trust GitHub-issued tokens.
Step 2: Create a Secretless IAM Role
Attach this trust policy to the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:ORG/REPO:ref:refs/heads/main"
}
}
}
]
}
🔐 This enforces Zero Trust:
- Even if someone knows the Role ARN, they cannot assume it unless identity claims match.
Step 3: Update GitHub Actions Workflow
name: OIDC Test
on: [push]
permissions:
id-token: write # Required for OIDC
contents: read
jobs:
aws-identity-test:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::<ACCOUNT_ID>:role/GitHub-OIDC-Role
aws-region: us-east-1
- name: Verify Identity
run: aws sts get-caller-identity
✅ No secrets
✅ No vaults
✅ No key rotation
Key Benefits Summary
| Benefit | Impact |
|---|---|
| No static secrets | Zero credential leaks |
| Short-lived tokens | Minimal blast radius |
| Automatic rotation | No ops burden |
| Fine-grained trust | True Zero Trust |
| Full audit trail | Better compliance |
Why This Is Mandatory
Industry data consistently shows:
- Stolen credentials are a top breach vector
- Breaches take months to detect
- Cloud misuse leads to massive financial damage
Static credentials are now a security anti-pattern.
Secretless CI/CD is no longer a “nice to have”.
It’s a baseline security requirement.
Credits & Thanks
Huge thanks to Arun Santhosh R.A. for his excellent write-up on secretless CI/CD and workload identity federation.
This post builds upon his ideas and aims to make them more accessible to the broader community.
Final Thoughts
OIDC-based authentication between GitHub and AWS gives you:
- Strong identity guarantees
- Zero secret sprawl
- Safer pipelines
- Happier security teams
If your CI/CD pipeline still uses long-lived cloud credentials, now is the time to upgrade.
Top comments (0)