Security Experts Advocate for Keyless CI/CD Pipelines
Recent guidance for MLOps teams emphasizes a shift toward more secure, keyless CI/CD pipelines. One podcast explained how to use GitHub Actions with OpenID Connect (OIDC) and AWS IAM Roles to replace static credentials with temporary, short-lived tokens. This method reduces the security risk of a breach by scoping permissions to individual workflows.
- The push for keyless authentication is a direct response to high-profile supply chain attacks where static, long-lived credentials were stolen from CI/CD systems. In one notable incident, attackers compromised CodeCov's bash uploader script, allowing them to steal secrets from their customers' pipelines. - OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol. It allows CI/CD jobs, like those in GitHub Actions or CircleCI, to authenticate with cloud providers such as AWS, GCP, and Azure without needing to store static API keys or secrets. - The keyless workflow involves the CI/CD platform signing a JSON Web Token (JWT) and making it available to the job. The job then presents this short-lived token to the cloud provider, which verifies its authenticity and, in return, grants temporary credentials with scoped permissions. - This method helps solve the "secret zero" problem, where a pipeline needs an initial secret just to authenticate to a vault or secret manager to retrieve other secrets. Tools like HashiCorp Vault can be configured to trust the OIDC tokens issued by CI/CD platforms, eliminating the need for a pre-existing static credential. - The OIDC token itself contains claims with information about the pipeline, such as the repository, workflow path, and the user who triggered the job, which enables granular access control. For example, an IAM role in AWS can be configured to only trust tokens originating from a specific GitHub repository and workflow. - Beyond authentication, the concept extends to "keyless signing" for artifacts using ephemeral keys. Projects like Sigstore, integrated with platforms like GitLab, allow for signing container images with temporary keys, simplifying key management and improving the security of the software supply chain. - Adopting keyless methods aligns with the principle of least privilege, a core tenet of Zero Trust security. By issuing temporary, narrowly-scoped credentials for each specific job, it significantly reduces the attack surface compared to long-lived, often over-permissioned, static secrets. - The implementation of OIDC is supported across major CI/CD platforms and cloud providers. CircleCI, for example, makes an OIDC token available to jobs which can be presented to cloud providers that have been configured to trust CircleCI's OIDC provider URL.
