Puma Security Cross-Cloud Workload Identity Federation
Welcome to Puma Security's Workload Identity Federation repository. Nymeria's goal is to help cloud identity and security teams to eliminate long-lived credentials from their cloud estate. The Cloud Infrastructure as Code (IaC) configuration in this repository includes the following resources:
-
Azure Service Principal Client Id / Secret for authenticating to an Azure AD Tenant from the Long Lived Credentials GitHub Action.
-
Azure Service Principal Federated Identity configuration for authenticating to an Azure AD Tenant using a GitHub Action's built-in OpenID Connect (OIDC) JWT.
-
Azure Virtual Machine for authenticating to the AWS S3 API and Google Cloud Storage (GCS) API.
-
AWS IAM User Access Keys for authenticating to the AWS S3 API from the Azure Virtual Machine using a long-lived credential.
-
AWS Identity Provider configuration for authenticating to the AWS S3 API using the Azure Virtual Machine's built-in OpenID Connect JWT.
-
Google Cloud Service Account Key for authenticating to the GCS API from the Azure Virtual Machine using a long-lived credential.
-
Google Cloud Workload Identity Pool for authenticating to the GCS API using the Azure Virtual Machine's built-in OpenID Connect JWT.
Documentation
Documentation, including step by step instructions for deploying the workshop and inspecting the resource configuration, can be found in the Nymeria GitHub Pages.
Learning More
Featured At
RSA Conference 2023
Source Code
Contributors
Eric Johnson - Principal Security Engineer, Puma Security
Brandon Evans - Certified Instructor and Course Author, SANS Institute