How I Eliminated Access Keys from My Deployment Pipeline with OIDC, Terraform, and GitHub Actions
These articles are AI-generated summaries. Please check the original sources for full details.
The Problem with Traditional CI/CD
Most tutorials for deploying static sites to AWS recommend storing AWS access keys as GitHub secrets, creating a significant security vulnerability. If a repository is compromised or secrets are accidentally exposed, attackers gain full AWS access. OpenID Connect (OIDC) federation offers a more secure alternative by utilizing temporary credentials.
This author built a fully automated static website deployment pipeline that eliminates access keys entirely by using temporary credentials exchanged through OIDC, resulting in a live demo available at https://d2jgqhup9totr6.cloudfront.net and source code on GitHub.
Why This Matters
Traditional CI/CD pipelines relying on long-lived access keys represent a substantial security risk, with potential costs reaching into the millions due to data breaches or service disruption. OIDC addresses this by providing temporary, scoped credentials, reducing the attack surface and simplifying credential management. The scale of potential damage from compromised keys necessitates a shift towards more secure authentication methods.
Key Insights
- S3 Website Endpoint Configuration: Standard S3 origins don’t support features like redirects and error documents, requiring custom origin configuration in CloudFront.
- Least Privilege Principle: IAM roles should only be granted the minimum necessary permissions to perform their tasks, limiting the potential blast radius of a compromise.
- Terraform Remote State: Using remote state with locking (e.g., S3 backend with DynamoDB locking) is crucial for team collaboration and preventing state corruption in production environments.
Working Example
resource "aws_iam_openid_connect_provider" "github" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
}resource "aws_iam_role" "github_actions" {
name = "github-actions-s3-deployment"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
Federated = aws_iam_openid_connect_provider.github.arn
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
}
StringLike = {
"token.actions.githubusercontent.com:sub" = "repo:${var.github_username}/${var.repo_name}:ref:refs/heads/main"
}
}
}]
})
}Practical Applications
- Static Website Hosting: Companies like Netlify or Vercel can leverage OIDC for secure deployments of static websites to AWS S3 and CloudFront.
- Pitfall: Failing to properly configure the
StringLikecondition in the IAM role trust policy can inadvertently grant broader access than intended, defeating the purpose of OIDC.
References:
Continue reading
Next article
Microsoft Warns of Multi-Stage AitM Phishing and BEC Attacks Targeting Energy Firms
Related Content
The Right Way to Deploy Private GitHub Repos to Your VPS
Securely deploy code from private GitHub repositories to a VPS using repository-specific SSH deploy keys, enhancing security and limiting server access.
Automating Drupal Security Patching for Enterprise Architectures
Victorstackai details reducing Drupal patch deployment from 72 hours to 45 minutes across 20+ sites using automated CI/CD and visual regression.
Deploying Scalable Flask Applications on AWS with GitHub CI/CD Pipelines
Architecting a Flask movie quiz app using EC2, RDS, and Nginx with an automated GitHub Actions ECR deployment pipeline for high availability.