Pipeline Authentication Guide

TL;DR

This guide shows you how to securely authenticate your deployments within a pipeline environment. We’ll cover using service accounts, SSH keys, and secrets management.

1. Understand Your Pipeline Environment

Before starting, know where your code is running (e.g., Jenkins, GitLab CI, Azure DevOps). Each platform handles authentication differently. This guide provides general principles; consult your pipeline provider’s documentation for specifics.

2. Service Accounts: The Recommended Approach

1. Create a Dedicated Account: Don’t use personal accounts! Create a service account specifically for deployments.
2. Grant Least Privilege: Give the service account only the permissions it *needs* to deploy your application (e.g., write access to specific repositories, ability to restart services). Avoid broad ‘admin’ rights.
3. Store Credentials Securely: Use your pipeline provider’s secrets management system (see section 4).
4. Authenticate in Your Pipeline: Most pipelines allow you to authenticate using the service account credentials stored as secrets.

   # Example for a hypothetical deployment script
   export DEPLOYMENT_USER="your-service-account@project.iam.gserviceaccount.com"
   export DEPLOYMENT_KEY="$(secrets.get("deployment-key"))" # Get key from secrets manager
   gcloud auth activate-service-account --key-file=/path/to/key.json
   gcloud config set project your-project-id
   gcloud app deploy

3. SSH Keys (For Deployments to Servers)

1. Generate an SSH Key Pair: On the pipeline server, create a new SSH key pair without a passphrase.

   ssh-keygen -t rsa -b 4096 -f /path/to/deployment_key -N ""

2. Add Public Key to Server: Copy the *public* key (/path/to/deployment_key.pub) to the ~/.ssh/authorized_keys file on each server you’ll deploy to.
3. Store Private Key Securely: Store the *private* key (/path/to/deployment_key) in your pipeline provider’s secrets management system.
4. Authenticate in Your Pipeline: Use SSH to connect and deploy.

   # Example deployment script
   export DEPLOYMENT_KEY="$(secrets.get("deployment-key"))"
   ssh -i /path/to/deployment_key user@server "your deployment commands here"

4. Secrets Management

Never hardcode credentials in your pipeline scripts! Use a secrets manager.

• Pipeline Provider Options: Most providers offer built-in solutions (e.g., Jenkins Credentials, GitLab CI Variables, Azure Key Vault).
• Third-Party Solutions: HashiCorp Vault is a popular option for more complex setups.
• Encryption at Rest and in Transit: Ensure your secrets manager encrypts data both when stored and during transmission.
• Access Control: Limit access to secrets based on the principle of least privilege.

5. Rotate Credentials Regularly

Change service account keys and SSH keys periodically (e.g., every 90 days) to minimize the impact of a potential compromise.

6. Cyber security Best Practices

• Regular Audits: Review your pipeline configurations and access controls regularly.
• Monitoring: Monitor for suspicious activity in your pipelines and deployment environments.
• Principle of Least Privilege: Always grant the minimum necessary permissions to service accounts and users.