Designing Zero-Trust CI/CD Pipelines with GitHub Actions and AWS
Source: Dev.to
TL;DR
- Use GitHub OIDC + AWS STS to authenticate with identity, not passwords.
- Traditional CI/CD pipelines rely on static cloud credentials (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY). - Even when stored in secret managers, these long‑lived credentials create attack surfaces:
- Secrets accidentally committed to GitHub.
- Leaked through logs or misconfigured pipelines.
- Keys valid for months or years, requiring manual rotation that is often forgotten.
- A leaked AWS key in a public repo can be exploited within minutes by automated bots.
- The industry is moving toward identity‑based security:
- Traditional: “Do you have the key?”
- Modern: “Who are you, and can you prove it right now?”
Old Model vs. New Model
| Old Model | New Model | |
|---|---|---|
| Credential | Permanent key | Passport (identity) |
| Access | Unlimited | Boarding pass (temporary) |
| Trust | Forever | Just‑in‑time |
OpenID Connect (OIDC) in CI/CD
- OIDC is an identity protocol built on OAuth 2.0.
- In a CI/CD context:
- GitHub acts as the Identity Provider.
- AWS acts as the Identity Verifier.
- Authentication uses signed JWT tokens; no secrets are stored.
JWT Claims (issued by GitHub)
- Repository name
- Organization
- Branch or tag
- Workflow reference
AWS Verification
- Token signature
- Issuer (
token.actions.githubusercontent.com) - Audience (
sts.amazonaws.com) - Repository & branch constraints
Tokens expire in minutes, making stolen tokens useless almost immediately. Access can be restricted to a specific repo, branch, or environment, with new credentials generated per job. All actions are traceable in AWS CloudTrail and tied back to a specific GitHub workflow run.
Configuring AWS IAM for GitHub OIDC
-
Add an OpenID Connect provider in IAM:
- Provider URL:
https://token.actions.githubusercontent.com - Audience:
sts.amazonaws.com
- Provider URL:
-
Attach a trust policy to the role that GitHub workflows will assume.
Trust Policy (JSON)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam:::oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:ORG/REPO:ref:refs/heads/main"
}
}
}
]
}Note: This policy enforces Zero Trust – even if an attacker knows the role ARN, they cannot assume it unless the identity claims match.
GitHub Actions Workflow Example
name: OIDC Test
on: [push]
permissions:
id-token: write # Required for OIDC
contents: read
jobs:
aws-identity-test:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam:::role/GitHub-OIDC-Role
aws-region: us-east-1
- name: Verify Identity
run: aws sts get-caller-identityThe workflow runs without any static secrets.
Benefits
- No static secrets → eliminates credential leaks.
- Short‑lived tokens → minimal blast radius.
- Automatic rotation → no operational burden.
- Fine‑grained trust → true Zero Trust.
- Full audit trail → better compliance.
Impact
- Zero credential leaks – secret‑less pipelines.
- Reduced blast radius – tokens expire quickly.
- Operational efficiency – no manual rotation.
- Enhanced security posture – identity‑first access control.
Industry Data
- Stolen credentials remain a top breach vector.
- Breaches often take months to detect, leading to massive financial damage.
- Static credentials are now considered a security anti‑pattern.
- Secretless CI/CD is becoming a baseline security requirement.
Acknowledgements
Huge thanks to Arun Santhosh R.A. for his excellent write‑up on secretless CI/CD and workload identity federation.
OIDC‑based authentication between GitHub and AWS provides:
- Strong identity guarantees
- Zero secret sprawl
- Safer pipelines
- Happier security teams
If your CI/CD pipeline still uses long‑lived cloud credentials, now is the time to upgrade.