Today we’re announcing a new use case of Workload IAM that secures access to a critical software ecosystem: comprehensive workload access management support for continuous integration/continuous deployment (CI/CD) platforms.
Secrets in your CI/CD platform are a major problem. It comes down to this: if your pipeline (or the supporting infrastructure) has secrets, then those secrets can be observed. Secrets may accidentally be written out to logs; Secrets may be committed to code repos in plain text; Poisoned code can steal the secrets.
Our vision is to eliminate static, long-lived secrets from CI/CD and replace them with short-lived, identity-based credentials that are delivered just in time.
This functionality is crucial for teams using CI/CD tools like GitHub Actions and GitLab Jobs, where securing secrets and managing access rights can directly influence the safety, compliance, and efficiency of software deployment processes.
As a security engineer at one of our customers succinctly put it: “Our job is to make sure there are no secrets in our CI/CD pipelines.”
Aembit does exactly that, while improving security, automation, and visibility into workload-to-workload access.
If you want to see this capability in action, just watch our video demo for securing GitLab. Alternatively, you can view our GitHub and Gitlab integration documentation.
The Current Landscape of Secrets in CI/CD
In the world of CI/CD, secrets such as passwords, tokens, and keys are fundamental for automating software builds, tests, and deployments. These secrets can be used hundreds – even thousands – of times per hour to access databases, third-party services, and other critical resources. However, managing these secrets can be fraught with risks.
Typically, secrets are embedded in source code or left in configuration files, making them vulnerable to exposure. Even when secrets are encrypted or managed through environment variables, they still reside within CI/CD environments, which can be compromised. The result? Significant security risks, including unauthorized access and data breaches.
Today, security teams have two unreliable approaches to dealing with this problem:
1) Teach developers to use best practices and hope that they’ll use secrets management tools for some minimal level of security.
2) React by continuously scanning for secrets and cleaning up the proverbial mess on a regular basis. (Whack-a-mole, anyone?)
But what security teams would rather do is eliminate long-lived secrets. Enter Aembit.
Aembit’s Solution: Secure Access Through Identity Federation
Recognizing the vulnerabilities associated with traditional secrets management, Aembit has introduced a groundbreaking approach through identity federation.
Our platform now seamlessly integrates with CI/CD services, including (but not limited to) GitHub Actions and GitLab, enhancing the security and management of access rights.
How Aembit Enhances Security in GitLab CI/CD
Aembit’s integration with GitLab exemplifies our commitment to secure software development practices. By leveraging identity federation, Aembit interacts directly with GitLab’s underlying infrastructure to manage authentication and authorization processes via short-lived, secretless credentials that are based on the identity of the runner (pick your lingo based on the tool you’re using here). Here’s how it works:
1) Manage Access, Not Secrets: Aembit allows you to set a simple policy that defines access rights to and from your CI/CD pipeline. Based on this, Aembit will automate the delivery of access credentials when they are needed.
2) Centralized Identity Federation: Replacing long-lived credentials with identity federation means that Aembit will validate the identity of each runner via GitLab before authorizing and issuing an access credential. This replaces the need for an identity secret and the need for storing an access secret.
3) Just-In-Time Credentials: Aembit eliminates the need for long-lived secrets stored within your CI/CD pipelines. Instead, our system provides just-in-time credentials that are generated when a pipeline job starts – and automatically revoked when it ends. This means each job can have a unique set of credentials, minimizing the risk of secret leakage or unauthorized access.
4) Role-Based Access Control: Within GitLab, Aembit ensures that access to secrets is strictly governed by the principle of least privilege. Processes receive only the credentials necessary to perform their tasks, significantly reducing the attack surface.
5) Audit Trails and Monitoring: Aembit’s integration offers comprehensive logging and monitoring of all access events within your pipelines. This not only helps in maintaining a secure environment but also aids in compliance and forensic analysis should security incidents occur. Logs can be exported to your monitoring and alerting systems.
Flexible Integration
CI/CD systems can be complex and often customized to your company’s specific needs. So Aembit has made it easy and flexible to integrate our capabilities with minimal disruption. We offer two methods of integration today – and plan to continue working with our customers on other methods that make sense for them:
1) Use the Aembit API
With this approach, your runner provides a GitLab OIDC token to Aembit via a simple API call. Aembit then attests to the identity of the runner and provides access based on policy. There is nothing additional to deploy, so it works well for shared runners.
2) Use Aembit Edge
Aembit Edge is a transparent proxy that can fully offload auth from your system. Edge can intercept runner access requests to other workloads, and communicate with Aembit Cloud to obtain necessary access credentials. This method allows you to implement Workload IAM with no disruption to existing runners, and future runners don’t need to worry about authentication to downstream services. (Note: This version of integration is beta and will be generally available soon.)
Your organization will be fully supported with either method of Aembit deployment. You may even use both depending on your situation.
Transforming CI/CD Security with Aembit
The introduction of the Aembit Access Management feature for CI/CD platforms represents a pivotal shift in how secrets and credentials are handled in the software development lifecycle. By ensuring that credentials are only available on-demand, securely managed, and thoroughly monitored, Aembit is setting new standards for security in CI/CD workflows.
We invite DevOps teams, security professionals, and software developers to give Aembit a try. We provide production-grade service for up to 10 workloads for free, and we’re happy to help you get set up and running.