Long-lived access keys in CI remain a frequent breach path. OIDC removes the secret from the repository entirely.

Setup steps: create an IAM OIDC provider for GitHub, bind roles with sub and repository conditions, and scope permissions to deploy targets only.

Why it matters: credential rotation disappears, and every assume-role event is attributable to a workflow run.

Tools mentioned: GitHub Environments, aws-actions/configure-aws-credentials, and IAM condition keys.

Apply this by migrating one production deploy workflow first, then deleting the leftover IAM user keys.

Guarda il video originale

Torna alle ultime notizie