Software build pipelines are increasingly a vector for abuse, and storing long-lived credentials in solutions like GitHub Secrets adds risk and logistical challenges. GitHub OIDC authentication to Vault solves this by allowing teams to generate short-lived, dynamic tokens scoped to very fine-grained authorization grants.
It is one thing to configure a single repository and quite another to construct a program scaling to hundreds or thousands of repositories and developers. In this talk, you will learn how to leverage an OIDC configuration with Vault as a building block to design (or upgrade!) a paved path enterprise-scale secrets management program. This developer-first approach provides stronger security guarantees than traditional “secret zero” mitigations while enabling smoother adoption for developers and simpler management and auditability for operators.
Speaker: Ari Kalfus
Twitter: / artis3n
Self-service demo and workshop to learn how to configure GitHub OIDC and Vault: github.com/artis3n/course-vau...
DigitalOcean blog post with more details about how they configure GitHub OIDC with Vault: www.digitalocean.com/blog/fin...
Open sourced Terraform module: github.com/digitalocean/terra...
Ned Bellavance's HashiConf Global 2022 talk on Using OIDC With HashiCorp Vault and GitHub Actions: www.hashicorp.com/resources/u...
Subscribe to our KZbin Channel → kzbin.info?s...
For hands-on interactive labs, visit HashiCorp Developer → developer.hashicorp.com/
HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp open source tools Vagrant, Packer, Terraform, Vault, Consul, Nomad, Boundary, and Waypoint allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices.
For more information → hashicorp.com
Twitter → / hashicorp
LinkedIn → / hashicorp
Facebook → / hashicorp