CI/CD Pipelines
No more AWS keys in GitHub Secrets
GitHub Actions already issues OIDC tokens per-workflow. Aembit extends this pattern to every pipeline step, every cloud target, every environment — with a unified policy layer and audit log.
Before and after
Removing AWS_ACCESS_KEY_ID from your CI pipeline
The GitHub Actions OIDC token identifies the workflow run. Aembit validates it and issues scoped AWS credentials — no long-lived keys anywhere.
Before
Long-lived keys in GitHub Secrets
.github/workflows/deploy.yml
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET }}
# rotated quarterly, if at all
# same key across all environments
# if leaked: full AWS account access
After Aembit
Per-run scoped credentials
.github/workflows/deploy.yml
permissions:
id-token: write # OIDC token
steps:
- uses: aembit/setup-action@v1
with:
policy: ci-deploy-prod
# token issued per-run, expires on workflow end
# scoped to prod environment only
1
GitHub issues OIDC token
GitHub Actions issues a per-run OIDC token containing the workflow repo, ref, run ID, and environment. This token is cryptographically signed by GitHub's OIDC provider.
iss: token.actions.githubusercontent.com
2
Aembit validates and checks policy
Aembit validates the GitHub OIDC token and checks your policy: does this workflow (repo + ref + environment) have permission to deploy to the target environment?
policy: allow ci-deploy-prod if env=production
3
Scoped credentials issued
Aembit issues temporary AWS credentials scoped to the minimum permissions needed for that deployment step. When the workflow ends, the credentials expire automatically.
AWS STS token: TTL = workflow duration