Per-user OIDC or firewall (CircleCI integration)?

dannysauer
dannysauer
Community Member
edited October 2023 in Secrets Automation

What are the chances of supporting CircleCI's OIDC token - https://circleci.com/docs/openid-connect-tokens/ - with a service account rather than having a credential stored in a Circle CI secret value? I think this would require supporting OIDC for individual users rather than a single provider for the whole org.

My goal here is to limit the exposure for a credential accidentally exposed by my CI provider. I can see doing that by

  • supporting a credential tied to a specific DNS domain (like OIDC's redirect URL does)
  • supporting a set of IP restrictions for an individual user (again, I'd prefer not to limit my entire team to CircleCI's IP addresses)
  • allow frequent rotation of a Service Account's credentials through the API and some third-party automation; I already provision secrets to multiple CI providers through Ansible, but it seems as if I have to destroy and recreate a service account to rotate creds, and also seems that I can't do that through any API.

Managing a long-lived secret with my CI provider isn't really something which excites me. :)

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

This discussion has been closed.