[Cheat Sheet] Zero-Trust CI/CD: OIDC & Ephemeral Secrets
![[Cheat Sheet] Zero-Trust CI/CD: OIDC & Ephemeral Secrets](/assets/thumbnails/post-zero-trust-cicd-oidc-ephemeral-secrets-cheat-sheet-og.png)
In 2026, static CI/CD secrets (the infamous 'Forever Keys') are a legacy liability. OpenID Connect (OIDC) has become the gold standard for securing deployment pipelines by using ephemeral, short-lived identities. This cheat sheet provides a comprehensive reference for implementing Zero-Trust CI/CD across major providers.
Live Search: Commands & Configs
The Zero-Trust Takeaway
The goal of OIDC is to move from shared secrets to identity-based trust. By defining a Trust Policy on your cloud provider that specifically recognizes your CI/CD repository, you eliminate the need to store long-lived AWS_ACCESS_KEY_ID or GOOGLE_APPLICATION_CREDENTIALS in your repository settings.
1. Core OIDC Concepts
Before implementing, understand these three pillars of ephemeral identity:
- ID Token (JWT): A signed token issued by the CI/CD provider (e.g., GitHub) containing 'claims' about the job.
- Trust Policy: A configuration on the Cloud side (AWS/GCP/Azure) that defines which claims are allowed to assume a role.
- STS (Security Token Service): The cloud service that exchanges the JWT for short-lived credentials.
2. GitHub Actions + AWS Configuration
To use OIDC with GitHub Actions, you must update your workflow permissions to allow id-token: write.
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/my-github-role
aws-region: us-east-13. GitLab CI + GCP Configuration
GitLab uses the id_tokens keyword to request a JWT for the GCP workload identity federation.
deploy-job:
id_tokens:
GCP_ID_TOKEN:
aud: https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID
script:
- echo "$GCP_ID_TOKEN" > .ci_job_jwt
- gcloud iam workload-identity-pools create-cred-config ... --credential-source-file=.ci_job_jwt4. CLI Command Cheat Sheet
| Category | Command | Description |
|---|---|---|
| Auth | aws sts get-caller-identity | Verify currently assumed ephemeral role. |
| Token | gh auth token --secure | Retrieve a secure runner token for debugging. |
| Debug | gcloud auth print-identity-token | Display the active OIDC JWT payload. |
5. Keyboard Shortcuts for Security Tooling
When auditing your OIDC setup, these system-wide shortcuts can speed up your workflow:
| Context | Shortcut | Action |
|---|---|---|
| Logs | Ctrl + Shift + L | Toggle verbose OIDC debug logging. |
| Terminal | Ctrl + K + C | Clear cached OIDC session tokens. |
| Auditor | Alt + S | Run a quick scan for static secrets in environment. |
When dealing with sensitive logs during OIDC debugging, use the Data Masking Tool to scrub PII or accidental credential leaks before sharing diagnostics.
6. Advanced Hardening: Conditional OIDC
Don't just trust the repo; trust the environment or branch. Use ABAC (Attribute-Based Access Control) in your AWS Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Federated": "arn:aws:iam::12345:oidc-provider/token.actions.githubusercontent.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:techbytes/app:environment:production"
}
}
}
]
}Get Engineering Deep-Dives in Your Inbox
Weekly breakdowns of architecture, security, and developer tooling — no fluff.