Keyless Kingdom

Multi-Cloud Workload Identity Federation with Zero Secrets

Production-ready workload identity federation across AWS, GCP, and Azure using OpenID Connect - eliminating long-lived credentials entirely

---

Key Results & Impact

0 Stored Credentials 100% keyless

3 Cloud Providers AWS, GCP, Azure

< 1 hour Token Lifetime Auto-rotating

< 5 min Deployment Time Per cloud provider

---

The Problem

Long-Lived Credentials Are a Security Nightmare Traditional CI/CD pipeline challenges: Service account keys leaked in git history Access keys rotated manually (or never) Client secrets stored in GitHub Secrets Broad permissions to accommodate multiple workflows Security risks include: Credential exfiltration from CI/CD systems Audit trails that can't correlate to specific workflows Keys valid for months or years Manual rotation overhead

What DevSecOps Teams Need Modern Zero Trust CI/CD requires: No stored credentials anywhere Short-lived tokens issued on-demand Fine-grained permissions per workflow Automatic token refresh without rotation Audit correlation to specific repos/branches Multi-cloud support from single pipeline Workload Identity Federation solves all of this.

---

The Solution: Keyless Kingdom

Complete workload identity federation across all major cloud providers:

Capability	Technology	Outcome
AWS Authentication	OIDC Provider + IAM Roles	Short-lived STS tokens
GCP Authentication	Workload Identity Federation	Service account impersonation
Azure Authentication	Federated Identity Credentials	Managed identity tokens
Infrastructure as Code	Terraform Modules	Reproducible deployment
CI/CD Integration	GitHub Actions OIDC	Zero secrets in workflows
Security Audit	CloudTrail, GCP Logs, Azure Monitor	Complete audit trail

---

Screenshots

Dashboard Views

Federation Dashboard Royal dark stealth theme

Provider Configuration Multi-cloud setup

Workflow Status GitHub Actions integration

Additional Views

Security Audit Cross-cloud audit logs

Architecture View Federation flow diagram

---

Why Workload Identity Federation?

The Security Rationale Workload Identity Federation was chosen because: Zero Secrets - No credentials stored anywhere Short-Lived Tokens - Minutes, not months Fine-Grained Access - Per workflow permissions Audit Correlation - Logs show exact repo/branch/actor Multi-Cloud Native - AWS, GCP, Azure all support OIDC Skills Demonstrated GitHub Actions OIDC token exchange AWS IAM OIDC Provider configuration GCP Workload Identity Pool setup Azure Federated Identity Credentials Terraform multi-cloud infrastructure

Before vs After Metric Traditional Keyless Stored Credentials GitHub Secrets None Token Lifetime Months/Years Minutes Rotation Manual Automatic Permissions Broad Fine-grained Audit Trail Limited Complete Supported Providers AWS (OIDC Provider + IAM Roles) GCP (Workload Identity Federation) Azure (Federated Identity Credentials) GitHub Actions (OIDC Token Issuer)

---

Architecture

                              GITHUB ACTIONS OIDC
    ┌─────────────────────────────────────────────────────────────────┐
    │                                                                  │
    │  Workflow requests OIDC token from GitHub's Identity Provider   │
    │  Token includes: repo, branch, actor, environment, job_id       │
    │                                                                  │
    └─────────────────────────────┬───────────────────────────────────┘
                                  │
                                  │ JWT Token (signed by GitHub)
                                  │
            ┌─────────────────────┼─────────────────────┐
            │                     │                     │
            ▼                     ▼                     ▼
    ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
    │     AWS      │      │     GCP      │      │    Azure     │
    │ OIDC Provider│      │  Workload    │      │  Federated   │
    │              │      │  Identity    │      │  Identity    │
    │ Validates    │      │  Pool        │      │  Credential  │
    │ JWT claims   │      │              │      │              │
    └──────┬───────┘      └──────┬───────┘      └──────┬───────┘
           │                     │                     │
           ▼                     ▼                     ▼
    ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
    │   IAM Role   │      │   Service    │      │   Managed    │
    │              │      │   Account    │      │   Identity   │
    │ AssumeRole   │      │ Impersonate  │      │   Token      │
    │ WithWebIdent │      │              │      │              │
    └──────┬───────┘      └──────┬───────┘      └──────┬───────┘
           │                     │                     │
           └─────────────────────┼─────────────────────┘
                                 │
                                 ▼
    ┌─────────────────────────────────────────────────────────────────┐
    │                    CLOUD RESOURCES                               │
    │                                                                  │
    │  S3 Buckets    │    GCS Buckets    │    Azure Blob Storage      │
    │  EC2 Instances │    GCE Instances  │    Azure VMs               │
    │  Lambda        │    Cloud Functions│    Azure Functions         │
    │                                                                  │
    └─────────────────────────────────────────────────────────────────┘

---

Quick Start

Prerequisites

• Terraform >= 1.5.0
• AWS CLI, gcloud CLI, Azure CLI
• GitHub repository with Actions enabled

AWS Setup

# Deploy OIDC provider and IAM role
cd terraform/aws
cp terraform.tfvars.example terraform.tfvars
terraform init && terraform apply

# Get role ARN for GitHub Actions
terraform output github_actions_role_arn

GitHub Actions Workflow:

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-role
    aws-region: us-east-1

GCP Setup

# Deploy Workload Identity Pool
cd terraform/gcp
cp terraform.tfvars.example terraform.tfvars
terraform init && terraform apply

# Get provider for GitHub Actions
terraform output workload_identity_provider

GitHub Actions Workflow:

- name: Authenticate to Google Cloud
  uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
    service_account: 'github-actions@PROJECT_ID.iam.gserviceaccount.com'

Azure Setup

# Deploy Federated Identity Credential
cd terraform/azure
cp terraform.tfvars.example terraform.tfvars
terraform init && terraform apply

# Get client and tenant IDs
terraform output client_id
terraform output tenant_id

GitHub Actions Workflow:

- name: Azure Login
  uses: azure/login@v1
  with:
    client-id: ${{ secrets.AZURE_CLIENT_ID }}
    tenant-id: ${{ secrets.AZURE_TENANT_ID }}
    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

---

Use Cases

1. Multi-Cloud Terraform Deployment Scenario: Deploy infrastructure to AWS, GCP, and Azure from single pipeline. Implementation: GitHub Actions requests OIDC token Each cloud validates token claims Short-lived credentials issued Terraform deploys to all three clouds Outcome: Zero secrets in CI/CD, complete audit trail.	2. Container Image Push Scenario: Build and push to ECR, GCR, and ACR. Implementation: Authenticate to all three registries Build container image once Push to multi-cloud registries No registry credentials stored Outcome: Multi-cloud container distribution.
3. Secrets Rotation Pipeline Scenario: Rotate secrets across cloud providers. Implementation: Pipeline authenticates via OIDC Access secrets managers in each cloud Rotate credentials programmatically No admin credentials in pipeline Outcome: Automated secrets rotation.	4. Cross-Cloud Data Sync Scenario: Sync data between S3, GCS, and Azure Blob. Implementation: Authenticate to all storage services Read from source bucket Write to destination buckets Audit trail shows exact workflow Outcome: Cross-cloud data replication.

---

Project Structure

keyless-kingdom/
├── terraform/
│   ├── aws/                # AWS OIDC Provider + IAM Roles
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   └── outputs.tf
│   ├── gcp/                # GCP Workload Identity Federation
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   └── outputs.tf
│   ├── azure/              # Azure Federated Identity Credentials
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   └── outputs.tf
│   └── modules/            # Reusable Terraform modules
├── .github/workflows/      # GitHub Actions pipelines
│   ├── aws-deploy.yml
│   ├── gcp-deploy.yml
│   ├── azure-deploy.yml
│   └── multi-cloud.yml
├── frontend/               # React dashboard
├── docs/                   # Documentation
└── tests/                  # Validation scripts

---

Security Comparison

Aspect	Long-Lived Keys	Keyless Kingdom
Credential Storage	GitHub Secrets, Vault	None required
Token Lifetime	90 days - Never expires	1 hour maximum
Rotation	Manual process	Automatic per-job
Blast Radius	All workflows	Single job
Audit Correlation	Limited	Repo/branch/actor/job
Exfiltration Risk	High	Minimal

---

Skills Demonstrated

Category	Technologies
Cloud Security	OIDC Federation, Zero Trust, IAM
AWS	OIDC Provider, IAM Roles, STS
GCP	Workload Identity Pool, Service Accounts
Azure	Federated Identity, Managed Identity
Infrastructure	Terraform, Multi-Cloud IaC
CI/CD	GitHub Actions, OIDC Tokens

---

Troubleshooting

AWS: "Not authorized to perform sts:AssumeRoleWithWebIdentity"

Verify trust policy matches your repository:

"StringEquals": {
  "token.actions.githubusercontent.com:sub": "repo:MikeDominic92/keyless-kingdom:ref:refs/heads/main"
}

GCP: "Permission 'iam.serviceAccounts.getAccessToken' denied"

Add workload identity binding:

gcloud iam service-accounts add-iam-policy-binding \
  github-actions@PROJECT_ID.iam.gserviceaccount.com \
  --role=roles/iam.workloadIdentityUser \
  --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/attribute.repository/MikeDominic92/keyless-kingdom"

Azure: "AADSTS70021: No matching federated identity record found"

Check subject matches branch:

repo:MikeDominic92/keyless-kingdom:ref:refs/heads/main

---

Roadmap

• v1.0: AWS, GCP, Azure OIDC federation
• v1.1: GitLab CI/CD OIDC support
• v1.2: Bitbucket Pipelines integration
• v1.3: CircleCI OIDC support
• v2.0: Self-hosted runner federation

---

Author

Mike Dominic

• GitHub: @MikeDominic92
• Focus: Zero Trust Architecture, Supply Chain Security, OIDC Federation

---

Chainguard IT Engineer (Identity/IAM) Alignment

This project demonstrates key competencies for senior IAM engineering roles:

Requirement	Evidence
Zero Trust architecture (AWS, GCP, Azure)	Multi-cloud workload identity federation
Supply chain security	Sigstore/Cosign keyless signing in chainguard/
OIDC/SAML expertise	GitHub Actions OIDC token exchange
No standing credentials	Short-lived tokens, automatic rotation
Infrastructure as Code	Terraform modules for all providers

See also: chainguard/README.md for Chainguard Images and Sigstore integration patterns.

---

Zero Trust Workload Identity Federation - No Keys, No Secrets
_{Demonstrates OIDC Federation, Keyless Signing, and Supply Chain Security}