Skip to content

pumasecurity/nymeria

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Puma Security Cross-Cloud Workload Identity Federation

Welcome to Puma Security's Workload Identity Federation repository. Nymeria's goal is to help cloud identity and security teams to eliminate long-lived credentials from their cloud estate. The Cloud Infrastructure as Code (IaC) configuration in this repository includes the following resources:

  • Azure Service Principal Client Id / Secret for authenticating to an Azure AD Tenant from the Long Lived Credentials GitHub Action.

  • Azure Service Principal Federated Identity configuration for authenticating to an Azure AD Tenant using a GitHub Action's built-in OpenID Connect (OIDC) JWT.

  • Azure Virtual Machine for authenticating to the AWS S3 API and Google Cloud Storage (GCS) API.

  • AWS IAM User Access Keys for authenticating to the AWS S3 API from the Azure Virtual Machine using a long-lived credential.

  • AWS Identity Provider configuration for authenticating to the AWS S3 API using the Azure Virtual Machine's built-in OpenID Connect JWT.

  • Google Cloud Service Account Key for authenticating to the GCS API from the Azure Virtual Machine using a long-lived credential.

  • Google Cloud Workload Identity Pool for authenticating to the GCS API using the Azure Virtual Machine's built-in OpenID Connect JWT.

Documentation

Documentation, including step by step instructions for deploying the workshop and inspecting the resource configuration, can be found in the Nymeria GitHub Pages.

Learning More

Featured At

RSA Conference 2023

Destroying Long-Lived Cloud Credentials with Workload Identity Federation - Eric Johnson

Presentation Slides

Source Code

Contributors

Eric Johnson - Principal Security Engineer, Puma Security

Brandon Evans - Certified Instructor and Course Author, SANS Institute