I Can OIDC You Clearly Now: How We Made Static Credentials a Thing of the Past

Tuesday, 29 October, 2024 - 11:0011:40 GMT

Iain Lane and Dimitris Sotirakis, Grafana Labs

Abstract: 

At Grafana Labs, we tackled a thorny problem: managing secrets in an open-source CI/CD pipeline. Our journey from static secrets to OIDC-based access wasn't just about better security—it was about empowering our engineers. We'll walk you through how we leveraged OIDC and GitHub Actions to create a "secretless" system for accessing cloud resources, complete with shared jobs and abstractions that make secure access simple. But it wasn't all smooth sailing. We'll share war stories, including a security hiccup that taught us valuable lessons. If you're drowning in a sea of secrets or just want to sleep better at night, come and learn how we boosted security while cutting operational headaches. You'll walk away with practical strategies for implementing OIDC-based access that'll make your engineers happy and your security team even happier.

Iain Lane, Grafana Labs

Iain is a senior software engineer at Grafana Labs. A member of the Platform team, his focus is on maintaining the infrastructure - Kubernetes clusters - which runs Grafana Cloud, and helping build tools and processes for engineers to deploy their software into this environment with maximum confidence.

Dimitris Sotirakis, Grafana Labs

Dimitris is a Senior Software Engineer with background in Backend, DevOps, Release and Platform Engineering. Specialized in CI/CD architecture, he has spent most of his career tackling the challenges of delivering software, tools and frameworks with quality. Currently he’s a member of the Platform Productivity team in Grafana Labs.

BibTeX
@conference {302241,
author = {Iain Lane and Dimitris Sotirakis},
title = {I Can {OIDC} You Clearly Now: How We Made Static Credentials a Thing of the Past},
year = {2024},
address = {Dublin},
publisher = {USENIX Association},
month = oct
}

Presentation Video