🦝 Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines

The presentation discusses the importance of secure authentication in CI/CD pipelines and the potential vulnerabilities of using tokens. The solution proposed is to use OpenID Connect (OIDC) for authentication.

• CI/CD pipelines require secure authentication with third-party providers
• Tokens are a popular method of authentication but can be vulnerable to breaches
• Examples of breaches include CircleCI and Codecov
• OpenID Connect (OIDC) is a solution that extends the capabilities of OAuth 2.0 and uses JSON web tokens (JWT) for authentication
• OIDC is standardized and allows for third-party verification of user identity

CircleCI experienced a security breach in which all tokens saved in the system were compromised. The installer of Codecov was also compromised, allowing attackers to exploit environment variables in CI systems. These incidents highlight the need for improved authentication security in CI/CD pipelines.

Cloud computing adoption is increasing, and organizations have an increasing need to secure their access to cloud resources. Traditional access control mechanisms such as access tokens, while still widely used, are insufficient to protect against modern threats. Even if the least-privilege principles are preserved, these tokens could leak and expose your infrastructure.Identity tokens, such as OpenID Connect (OIDC), have emerged as a popular alternative for authentication and authorization in cloud environments. Even though major CI/CD platforms are now supporting these tokens - GitHub Actions, GitLab CI, CircleCI, etc. - it isn't widely adopted yet.In this session, we'll cover the benefits of using OIDC for CI/CD pipelines, configuring cloud providers to accept OIDC tokens, and integrating OIDC-based authentication and authorization into popular CI/CD systems. We'll also demonstrate a few examples of OIDC-based authentication and authorization in action through demos.