Long-lived cloud credentials instead of OIDC¶
Rule ID |
|
|---|---|
Category |
security |
Severity |
medium |
Workflow uses static cloud credentials (AWS_ACCESS_KEY_ID, etc.) stored as secrets instead of OIDC short-lived tokens.
Detection¶
static_analysis — Checks field presence or value in the workflow YAML.
Examples¶
Non-compliant:
jobs:
deploy:
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
steps:
- run: aws s3 sync dist/ s3://my-bucket
Compliant:
permissions:
id-token: write
contents: read
jobs:
deploy:
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789:role/github-actions
aws-region: us-east-1
- run: aws s3 sync dist/ s3://my-bucket
Fix: Configure OIDC federation between GitHub Actions and your cloud provider. Grant id-token: write permission and use the provider’s official OIDC action instead of storing long-lived credentials.