No description
- HTML 100%
|
|
||
|---|---|---|
| .forgejo/workflows | ||
| index.html | ||
| README.md | ||
Demo Pipeline
This repository deploys the Unicorn Rentals Portal (static site) to S3 and invalidates the CloudFront cache.
Current Setup
The pipeline uses AWS credentials stored as repository secrets:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
These belong to the IAM user PipelineDeployer.
Site URL
After deploy, the site is accessible via CloudFront (see Event Outputs for the URL).
Your Mission
The current setup is insecure:
- Static access keys that never expire
- Keys have
AdministratorAccess(way more than needed) - If secrets leak, attacker has full account access
- No way to scope access by branch or repo
Fix this by implementing OIDC federation -- the pipeline should assume an IAM Role with temporary credentials scoped to this repo and branch.
Follow the workshop guide for step-by-step instructions.