CI/CD Intermediate By Samson Tanimawo, PhD Published Nov 16, 2026 9 min read

CI/CD Secrets Management: Best Practices

OIDC federation is the modern way CI/CD authenticates to clouds. Long-lived secrets are 2020s; OIDC is 2026.

Why OIDC over static

Static secrets: long-lived keys; shared via env var; rotated rarely; leaked easily.

OIDC: short-lived tokens; issued per CI run; cryptographically tied to the run; no static keys.

Four patterns

1. AWS IAM Roles for GitHub Actions via OIDC.
2. GCP Workload Identity for cloud auth.
3. Azure Federated Credentials for AD auth.
4. Vault JWT auth for non-cloud secrets.

Migration from static

Phase 1: enable OIDC for one critical pipeline. Phase 2: migrate cloud-auth pipelines. Phase 3: remove static cloud keys.

Phase 4: extend to non-cloud secrets via Vault.

Audit trail

OIDC tokens are tied to specific repo/branch/workflow. Audit log shows which CI run authenticated when.

SOC 2 evidence: cryptographic chain from auth event to action.

Antipatterns

Long-lived AWS access keys in GitHub. Compromise risk; replace with OIDC.
Same secrets across all repos. Shared blast radius.
OIDC without scope limits. Token can do too much.

What to do this week

Three moves. (1) Apply this to one pipeline first. (2) Measure deploy frequency / MTTR before/after. (3) Document the outcome so the next team starts from data.