No description
Find a file
Workshop Setup 5e19ced97c
All checks were successful
Deploy Site / deploy (push) Successful in 1m31s
Initial commit: pipeline with static credentials
2026-07-15 16:54:23 +00:00
.forgejo/workflows Initial commit: pipeline with static credentials 2026-07-15 16:54:23 +00:00
index.html Initial commit: pipeline with static credentials 2026-07-15 16:54:23 +00:00
README.md Initial commit: pipeline with static credentials 2026-07-15 16:54:23 +00:00

Demo Pipeline

This repository deploys the Unicorn Rentals Portal (static site) to S3 and invalidates the CloudFront cache.

Current Setup

The pipeline uses AWS credentials stored as repository secrets:

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_ACCESS_KEY

These belong to the IAM user PipelineDeployer.

Site URL

After deploy, the site is accessible via CloudFront (see Event Outputs for the URL).

Your Mission

The current setup is insecure:

  • Static access keys that never expire
  • Keys have AdministratorAccess (way more than needed)
  • If secrets leak, attacker has full account access
  • No way to scope access by branch or repo

Fix this by implementing OIDC federation -- the pipeline should assume an IAM Role with temporary credentials scoped to this repo and branch.

Follow the workshop guide for step-by-step instructions.