Interview › Security & DevSecOps
What is OIDC-based authentication from CI to a cloud provider, and why is it safer than keys? [Intermediate]
Answer
OIDC-based authentication from CI to a cloud provider lets a CI job exchange a short-lived identity token for temporary cloud credentials. It is safer than static keys because there is no long-lived secret stored in the CI platform, and the cloud role can validate repository, branch, workflow, and environment claims.
Technical explanation
The cloud provider trusts the CI OIDC issuer and maps token claims to an IAM role or workload identity.
Credentials are issued just-in-time and expire automatically.
Policy conditions can restrict which repos, branches, tags, or environments can assume production roles.
Hands-on example
AWS example: create an IAM OIDC provider for token.actions.githubusercontent.com, create a role with sts:AssumeRoleWithWebIdentity, restrict sub to repo:org/app:ref:refs/heads/main, then use aws-actions/configure-aws-credentials in the deploy workflow.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]