Amazon allows an OpenID Connect provider to generate access tokens that will map to a particular preconfigured set of IAM rights.
In this model, buildomat would be an OIDC provider that one could configure in their AWS account. When requested by the job, we would generate ephemeral OIDC tokens that identify the specific buildomat account (which maps 1:1 with a GitHub repository in most cases) and AWS would allow that authentication to assume a role and get an ephemeral AWS access token and secret key and so on. This would avoid the need for general secret storage.
Amazon allows an OpenID Connect provider to generate access tokens that will map to a particular preconfigured set of IAM rights.
In this model, buildomat would be an OIDC provider that one could configure in their AWS account. When requested by the job, we would generate ephemeral OIDC tokens that identify the specific buildomat account (which maps 1:1 with a GitHub repository in most cases) and AWS would allow that authentication to assume a role and get an ephemeral AWS access token and secret key and so on. This would avoid the need for general secret storage.