Use case
AWS Role-Based Authentication for
GitHub Actions
- Vishalkumar Chaurasia
About the Customer
Freshfruit.ai is a forward-thinking company specializing in the quality assessment of fresh fruits and vegetables. Using cutting-edge machine learning and AI-powered platforms, Freshfruit.ai provides detailed insights into produce quality through their application, available on both Android and iOS. The company is focused on transforming the global fresh produce supply chain by enhancing quality assurance processes, helping stakeholders assess, monitor, and improve the quality of their products.
Customer Challenge
Freshfruit.ai was using third-party tools like GitHub and Jenkins for Continuous Integration (CI) and Continuous Deployment (CD), but they relied on AWS IAM Users for authentication to AWS services, using Access Keys and Secret Keys. Despite having AWS Single Sign-On (SSO) enabled for their AWS Identity Management, these tools continued to authenticate using static credentials, which created security vulnerabilities. The exposure of any IAM User keys could lead to a potential compromise of Freshfruit.ai’s AWS account, putting their entire infrastructure at risk.
Without addressing this issue, Freshfruit.ai faced the challenge of ensuring data integrity, maintaining secure access to AWS resources, and reducing their reliance on static IAM User credentials. In addition, they needed a scalable, role-based solution that aligned with their CI/CD processes while reducing risks associated with IAM User management.
Solution
IAMOPS, as Freshfruit.ai’s DevOps partner, designed and implemented a role-based authentication solution using AWS Roles with OpenID Connect (OIDC). This solution allowed GitHub Actions and Jenkins pipelines to authenticate securely with AWS services, leveraging temporary credentials. By using OIDC, multiple AWS Roles with minimal permissions were created, customized for each GitHub Action based on its specific needs.
The steps taken to address Freshfruit.ai’s challenge included:
- AWS Roles Implementation: AWS Roles were defined with the principle of least privilege, granting only the required access permissions for GitHub Actions and Jenkins pipelines.
- OpenID Connect (OIDC) Integration: OIDC was integrated into GitHub Actions, allowing the automation process to authenticate directly without relying on static IAM User credentials.
- Jenkins Server Authentication: Scripts were developed to facilitate secure authentication for the Jenkins server, reducing the reliance on IAM User Access Keys and Secret Keys.
- Security Enhancements: Freshfruit.ai’s security posture was significantly improved by replacing IAM Users with temporary role-based credentials, minimizing the risk of exposed keys.
In addition, IAMOPS provided support throughout the implementation process, from planning and configuring AWS roles to post-implementation support, ensuring a seamless transition for Freshfruit.ai’s CI/CD processes.
Here is a detailed architecture diagram outlining the solution implemented:
Semantic Release Workflow
Results & Benefits
The solution brought both qualitative and quantitative improvements to Freshfruit.ai’s operational security and efficiency:
- Enhanced Security: By implementing AWS Roles with precise, minimal permissions and eliminating IAM User static credentials, ai significantly reduced the risk of unauthorized access and strengthened data protection.
- Reduced IAM User Dependence: The reliance on IAM Users and static keys was minimized, leading to better control over access and reducing the administrative overhead of managing IAM Users.
- Operational Efficiency: ai experienced a significant reduction in the time required to manage and update IAM credentials, as well as in the effort spent rotating access keys. This resulted in more efficient use of engineering resources.
Quantitative outcomes included:
- Zero downtime during the transition to AWS Role-based authentication.
- Cost Neutrality: No additional infrastructure costs were incurred by shifting from IAM Users to AWS Roles. The operational savings in terms of security incident management were evident without adding to the ongoing AWS expenses.
About IAMOPS
IAMOPS is a full DevOps suite company that supports technology companies to achieve intense production readiness.
Our mission is to ensure that our clients’ infrastructure and CI/CD pipelines are scalable, mitigate failure points, optimize performance, ensure uptime, and minimize costs.
Our DevOps suite includes DevOps Core, NOC 24/7, FinOps, QA Automation, and DevSecOps to accelerate overall exponential growth.
As an AWS Advanced Tier Partner and Reseller, we focus on two key pillars: Professionalism by adhering to best practices and utilizing advanced technologies, and Customer Experience with responsiveness, availability, clear project management, and transparency to provide an exceptional experience for our clients.