IAM concepts

Identity and Access Management (IAM) concepts cover the policies, processes, and tools used to manage digital identities and regulate user access to resources. Key IAM principles include authentication, authorization, provisioning, and least privilege. Effective IAM ensures that the right users have the right access at the right time.

Categories:

GitHub Actions OIDC

IAM concepts

GitHub Actions OIDC is a workload identity mechanism that allows GitHub Actions CI/CD workflows to authenticate to cloud providers and external services using short-lived, cryptographically signed tokens instead of stored secrets. The workflow proves its identity through an OIDC token issued by GitHub, which cloud platforms like AWS, Azure, and GCP can verify and exchange for scoped access credentials. It eliminates the need to store long-lived cloud credentials as GitHub secrets.

Ephemeral Credentials

IAM concepts

Ephemeral credentials are short-lived authentication tokens or secrets issued dynamically for a specific workload at the moment of access and automatically expired shortly after. Unlike static API keys or long-lived service account passwords, ephemeral credentials limit the window of exposure if compromised. They are a core building block of secretless architecture, where workloads prove identity and receive credentials just in time rather than storing them in configuration or code.

OAuth 2.1

IAM concepts

OAuth 2.1 is an updated consolidation of the OAuth 2.0 framework that formalizes security best practices accumulated over years of real-world deployment. It eliminates deprecated grant types, mandates PKCE for all authorization code flows, and tightens token handling requirements. For workloads and AI agents authenticating to APIs and MCP servers, OAuth 2.1 represents the modern baseline for secure, standardized authorization between non-human identities and protected resources.

Secret Zero

IAM concepts

Secret Zero refers to the foundational credential a workload needs to access a secrets manager or credential store in the first place. It is the bootstrapping problem at the heart of secrets management: how do you securely deliver the first secret without embedding it somewhere static? In workload identity, solving Secret Zero means replacing that initial static credential with cryptographically verified workload identity.

Role-Based Access Control (RBAC)

IAM concepts

RBAC assigns permissions to roles representing job functions rather than to individual users, streamlining access management at scale.

Governance

IAM concepts

Governance sets the policies and controls for who has access, why they have it and whether that access remains appropriate over time.

Cloud Infrastructure Entitlement Management (CIEM)

IAM concepts

CIEM provides centralized visibility and control over your cloud permissions to reduce access risk across multi-cloud environments.

No-Code Auth

IAM concepts

No-code auth is an authentication approach where application code does not directly implement authentication logic or manage credentials. Instead, infrastructure components such as service meshes, proxies or authentication agents handle identity verification, credential injection and policy enforcement transparently at runtime.

Customer Identity and Access Management (CIAM)

IAM concepts

Customer Identity and Access Management (CIAM) is a specialized identity system that helps your business securely register, sign in and manage all external users, including customers, partners or citizens accessing your digital services.

OAuth 2.0

IAM concepts

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to HTTP services without exposing credentials.