Destroying Long-Lived Cloud Credentials with Workload Identity Federation

Attackers have been breaching the cloud for years by stealing long-lived credentials. To combat these attacks, cloud providers have been building improved authentication workflows for external identity providers. This workshop explores Workload Identity Federation and how you can replace long-lived cloud credentials with short-lived tokens signed by an OpenID Connect identity provider. Join Eric Johnson, author of the open-source Nymeria project, to get hands-on experience with the Workload Identity Federation capabilities in GitHub Actions, Azure, AWS, and Google Cloud. The workshop session starts by walking attendees through a real world scenario where long-lived credentials are stolen from a cloud hosted Continuous Integration (CI) pipeline. Demonstrations will show how stealing an Azure Service Principal Client Secret from a GitHub Action can allow an attacker unauthorized access to Azure resources. Attendees will then learn how to configure Azure Federated Identity to trust GitHub's identity provider and eliminate the long-lived credential. Next, attendees explore an Azure virtual machine that requires access to resources hosted in both AWS and Google Cloud. Demonstrations will show how a vulnerability allowing access to the Azure virtual machine's file system can allow attackers to discover long-lived credentials and pivot into the other cloud providers. Attendees will then learn how to configure trust between the Azure virtual machine's identity and both the AWS Identity Provider and Google Cloud Workload Identity Federation resources. The workshop concludes by demonstrating the functional system without a single long-lived credential. The GitHub Continuous Integration (CI) pipeline requests temporary credentials for creating the Azure virtual machine, and then the Azure virtual machine requests temporary credentials for accessing both the AWS and Google Cloud resources. Attendees will leave with an understanding of the public cloud provider's Workload Identity Federation capabilities and how to configure trust between their OpenID Connect identity provider and public cloud APIs.