Welcome to Puma Security's Workload Identity Federation repository. Nymeria's goal is to help cloud identity and security teams to eliminate long-lived credentials from their cloud estate. The Cloud Infrastructure as Code (IaC) configuration in this repository includes the following resources:
-
Azure Service Principal Client Id / Secret for authenticating to an Azure AD Tenant from the Long Lived Credentials GitHub Action.
-
Azure Service Principal Federated Identity configuration for authenticating to an Azure AD Tenant using a GitHub Action's built-in OpenID Connect (OIDC) JWT.
-
Azure Virtual Machine for authenticating to the AWS S3 API and Google Cloud Storage (GCS) API.
-
AWS IAM User Access Keys for authenticating to the AWS S3 API from the Azure Virtual Machine using a long-lived credential.
-
AWS Identity Provider configuration for authenticating to the AWS S3 API using the Azure Virtual Machine's built-in OpenID Connect JWT.
-
Google Cloud Service Account Key for authenticating to the GCS API from the Azure Virtual Machine using a long-lived credential.
-
Google Cloud Workload Identity Pool for authenticating to the GCS API using the Azure Virtual Machine's built-in OpenID Connect JWT.
Documentation, including step by step instructions for deploying the workshop and inspecting the resource configuration, can be found in the Nymeria GitHub Pages.
Eric Johnson - Principal Security Engineer, Puma Security
Brandon Evans - Certified Instructor and Course Author, SANS Institute