Which solution will meet these requirements with the LEAST operational overhead?

By:
In: SAP-C02
Tagged:
With: 1 Comment
A company is using GitHub Actions to run a CI/CD pipeline that accesses resources on AWS.The company has an IAM user that uses a secret key in the pipeline to authenticate to AWS.An existing IAM role with an attached policy grants the required permissions to deploy resources.The company’s security team implements a new requirement that pipelines can no longer use long-lived secret keys.A solutions architect must replace the secret key with a short-lived solution.

Which solution will meet these requirements with the LEAST operational overhead?

Create an IAM SAML 2.0 identity provider (IdP) in AWS Identity and Access Management (IAM). Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRole API call. Attach the existing IAM policy to the new IAM role. Update GitHub to use SAML authentication for the pipeline.

Create an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS Identity and Access Management (IAM). Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRoleWithWebIdentity API call from the GitHub OIDC IdP. Update GitHub to assume the role for the pipeline.

Create an Amazon Cognito identity pool. Configure the authentication provider to use GitHub. Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRoleWithWebIdentity API call from the GitHub authentication provider. Configure the pipeline to use Cognito as its authentication provider.

Create a trust anchor to AWS Private Certificate Authority. Generate a client certificate to use with AWS IAM Roles Anywhere. Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRole API call. Attach the existing IAM policy to the new IAM role. Configure the pipeline to use the credential helper tool and to reference the client certificate public key to assume the new IAM role.

Explanations:

While using a SAML 2.0 identity provider can facilitate authentication, it introduces more complexity in setting up and managing the SAML IdP. This option requires configuring SAML assertions and additional integration steps with GitHub, leading to higher operational overhead compared to other options.

Creating an OIDC identity provider and allowing GitHub Actions to assume an IAM role using thests:AssumeRoleWithWebIdentityAPI call provides a straightforward and efficient way to handle authentication. This solution aligns with the requirement for short-lived credentials, as it avoids the use of long-lived secret keys and leverages built-in support for OIDC in GitHub Actions with minimal operational overhead.

Although using Amazon Cognito can provide authentication without long-lived secret keys, it adds unnecessary complexity. The setup involves managing an additional service (Cognito) and configuring it to work with GitHub, which increases operational overhead compared to the more direct OIDC approach in Option B.

This option involves a complex setup with AWS IAM Roles Anywhere, which requires generating and managing client certificates and configuring the pipeline to use a credential helper tool. This approach is more cumbersome and not as straightforward as using OIDC, resulting in higher operational overhead.

2025-10-09

1 Comment

  1. Nicholas
    Author

    To the best of my knowledge, the answer is:
    Create an IAM OpenID Connect (OIDC) identity provider (IdP) in AWS Identity and Access Management (IAM). Create a new IAM role with the appropriate trust policy that allows the sts:AssumeRoleWithWebIdentity API call from the GitHub OIDC IdP. Update GitHub to assume the role for the pipeline.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − 3 =