Aembit Earns Prestigious Runner-Up Spot at RSA Innovation Sandbox Contest! Watch the Announcement

RSAC™ Innovation Sandbox FINALIST 2024 banner
Aembit wins the 2024 RSA Conference Innovation Sandbox contest! Read the news
RSAC™ Innovation Sandbox FINALIST 2024 banner
Aembit is an RSA Conference Innovation Sandbox finalist! Read the news
Blog

Introducing Aembit Access Management for CI/CD Platforms

Our identity federation capability better secures and streamlines CI/CD workflows, like in GitHub Actions and GitLab, with short-lived, secretless credentials.
Introducing Aembit Access Management for CI/CD Platforms

Today we’re announcing a new use case of Workload IAM that secures access to a critical software ecosystem: comprehensive workload access management support for continuous integration/continuous deployment (CI/CD) platforms.

This functionality is crucial for teams using CI/CD tools like GitHub Actions and GitLab Jobs, where securing secrets and managing access rights can directly influence the safety, compliance, and efficiency of software deployment processes.

As a security engineer at one of our customers succinctly put it: “Our job is to make sure there are no secrets in our CI/CD pipelines.” 

Aembit does exactly that, while improving security, automation, and visibility into workload-to-workload access.

If you want to see this capability in action, just watch our video demo for securing GitLab. Alternatively, you can view our GitHub and Gitlab integration documentation.

The Current Landscape of Secrets in CI/CD

In the world of CI/CD, secrets such as passwords, tokens, and keys are fundamental for automating software builds, tests, and deployments. These secrets can be used hundreds – even thousands – of times per hour to access databases, third-party services, and other critical resources. However, managing these secrets can be fraught with risks

Typically, secrets are embedded in source code or left in configuration files, making them vulnerable to exposure. Even when secrets are encrypted or managed through environment variables, they still reside within CI/CD environments, which can be compromised. The result? Significant security risks, including unauthorized access and data breaches.

Today, security teams have two unreliable approaches to dealing with this problem:

1) Teach developers to use best practices and hope that they’ll use secrets management tools for some minimal level of security.

2) React by continuously scanning for secrets and cleaning up the proverbial mess on a regular basis. (Whack-a-mole, anyone?)

But what security teams would rather do is eliminate long-lived secrets. Enter Aembit.

Aembit’s Solution: Secure Access Through Identity Federation

Recognizing the vulnerabilities associated with traditional secrets management, Aembit has introduced a groundbreaking approach through identity federation.

Our platform now seamlessly integrates with CI/CD services, including (but not limited to) GitHub Actions and GitLab, enhancing the security and management of access rights.

How Aembit Enhances Security in GitLab CI/CD

Aembit’s integration with GitLab exemplifies our commitment to secure software development practices. By leveraging identity federation, Aembit interacts directly with GitLab’s underlying infrastructure to manage authentication and authorization processes via short-lived, secretless credentials that are based on the identity of the runner (pick your lingo based on the tool you’re using here). Here’s how it works:

1) Manage Access, Not Secrets: Aembit allows you to set a simple policy that defines access rights to and from your CI/CD pipeline. Based on this, Aembit will automate the delivery of  access credentials when they are needed. 

2) Centralized Identity Federation: Replacing long-lived credentials with identity federation means that Aembit will validate the identity of each runner via GitLab before authorizing and issuing an access credential. This replaces the need for an identity secret and the need for storing an access secret.

3) Just-In-Time Credentials: Aembit eliminates the need for long-lived secrets stored within your CI/CD pipelines. Instead, our system provides just-in-time credentials that are generated when a pipeline job starts – and automatically revoked when it ends. This means each job can have a unique set of credentials, minimizing the risk of secret leakage or unauthorized access.

4) Role-Based Access Control: Within GitLab, Aembit ensures that access to secrets is strictly governed by the principle of least privilege. Processes receive only the credentials necessary to perform their tasks, significantly reducing the attack surface.

5) Audit Trails and Monitoring: Aembit’s integration offers comprehensive logging and monitoring of all access events within your pipelines. This not only helps in maintaining a secure environment but also aids in compliance and forensic analysis should security incidents occur. Logs can be exported to your monitoring and alerting systems.

Flexible Integration

CI/CD systems can be complex and often customized to your company’s specific needs. So Aembit has made it easy and flexible to integrate our capabilities with minimal disruption. We offer two methods of integration today – and plan to continue working with our customers on other methods that make sense for them:

1) Use the Aembit API

With this approach, your runner provides a GitLab OIDC token to Aembit via a simple API call. Aembit then attests to the identity of the runner and provides access based on policy. There is nothing additional to deploy, so it works well for shared runners.

2) Use Aembit Edge

Aembit Edge is a transparent proxy that can fully offload auth from your system. Edge can intercept runner access requests to other workloads, and communicate with Aembit Cloud to obtain necessary access credentials. This method allows you to implement Workload IAM with no disruption to existing runners, and future runners don’t need to worry about authentication to downstream services. (Note: This version of integration is beta and will be generally available soon.)

Your organization will be fully supported with either method of Aembit deployment. You may even use both depending on your situation. 

Transforming CI/CD Security with Aembit

The introduction of the Aembit Access Management feature for CI/CD platforms represents a pivotal shift in how secrets and credentials are handled in the software development lifecycle. By ensuring that credentials are only available on-demand, securely managed, and thoroughly monitored, Aembit is setting new standards for security in CI/CD workflows.

We invite DevOps teams, security professionals, and software developers to give Aembit a try. We provide production-grade service for up to 10 workloads for free, and we’re happy to help you get set up and running.

You might also like

Modern software development accelerates progress but introduces security risks that must be managed to protect organizational integrity and reputation.
As the demand for API access continues to grow, so does the urgency of adopting more secure authentication methods.
A string of recent compromises involving non-human identity credentials are putting organizations on high alert. Here's what you can do about it.