blakepettersson
commented
1 year ago Would using external-secrets help here? Here's an example using ECR token and ESO's Generator feature.
Open dthomson25 opened 2 years ago
blakepettersson
commented
1 year ago Would using external-secrets help here? Here's an example using ECR token and ESO's Generator feature.
Summary
My company uses Github Actions and Argo CD to deploy our services. We currently store a long-lived credential of a local user as a secret in GitHub, and our CI workflow uses this credential to sync our application via Argo CD. Storing long-lived credentials in CI is generally considered a bad practice, and Argo CD should have a way to vend out short-lived credentials to Github Actions or any CI system.
Motivation
Storing long-lived credentials as a secret in CI is a security risk since those tokens can be leaked or stolen, and Argo CD credentials tend to have a higher privilege since they are used for deployments. Once compromised, a token can then be used until it is rotated. Meanwhile, short-lived credentials do not need to be stored, and they have a short lifetime if they are exposed.
Proposal
Argo CD should have a way of vending out short-lived credentials to preconfigured identities from trusted sources. AWS offers something similar by allowing identities from Github's OIDC provider to assume IAM roles when developers add Github's OIDC info to that IAM role's assume role policy. Ideally, Argo CD should be able to do something similar so we can remove the token. You can read more about that here and here.
I haven't thought out how this would be implemented or if this should be more of a request for Dex, but I wanted to see if the community would want this feature and use it. If we want to move forward with this, we would need to write up a proposal.