https://cervesato.it/tags/workload-identity/Recent content in Workload-Identity on Andrea CervesatoHugoenAndrea CervesatoSun, 15 Dec 2024 00:00:00 +0000https://cervesato.it/posts/killing-service-account-keys/Sun, 15 Dec 2024 00:00:00 +0000https://cervesato.it/posts/killing-service-account-keys/<p>If your CI/CD pipeline authenticates to Google Cloud with a service account key stored in a CI variable, you have a problem. You might not know it yet, but you have a problem.</p> <p>That JSON key file is a static credential. It doesn&rsquo;t expire (unless you rotate it, which you don&rsquo;t). It has no context about <em>who</em> or <em>what</em> is using it. If it leaks — and CI variables leak more often than anyone admits — an attacker gets the same access your pipeline has. Forever, or until someone notices.</p> <p>So I built a POC to try the alternative: a keyless, signed, vulnerability-gated pipeline from GitLab to Google Cloud. No service account keys. No stored secrets.</p>