Secrets Management in CI/CD Pipelines: OIDC, Vault Integration, and Credential Hygiene

Cicd

Secrets, Oidc, Vault, Credentials, Security, Github-Actions, Gitlab-Ci, Secret-Rotation, Workload-Identity

Vault, Github-Actions, Gitlab-Ci, Aws-Iam, Gcp-Workload-Identity

Secrets Management in CI/CD Pipelines#

Every CI/CD pipeline needs credentials: registry tokens, cloud provider keys, database passwords, API keys for third-party services. How you store, deliver, and scope those credentials determines whether a single compromised pipeline job can escalate into a full infrastructure breach. The difference between a mature and an immature pipeline is rarely in the build steps – it is in the secrets management.

The Problem with Static Secrets#

The default approach on every CI platform is storing secrets as encrypted variables: GitHub Actions secrets, GitLab CI variables, Jenkins credentials store. These work but create compounding risks:

AWS Fundamentals for Agents

February 22, 2026

Cloud-Services

Intermediate

Aws-Resource-Management, Aws-Networking, Aws-Identity-Management

Aws, Iam, Vpc, Ec2, S3, Rds, Eks, Route53, Cloudwatch

Aws-Cli, Aws-Iam, Aws-Ec2, Aws-S3, Aws-Rds, Aws-Eks

IAM: Identity and Access Management#

IAM controls who can do what in your AWS account. Everything in AWS is an API call, and IAM decides which API calls are allowed. There are three concepts an agent must understand: users, roles, and policies.

Users are long-lived identities for humans or service accounts. Roles are temporary identities that can be assumed by users, services, or other AWS accounts. Policies are JSON documents that define permissions. Roles are always preferred over users for programmatic access because they issue short-lived credentials through STS (Security Token Service).