How I Used OIDC to Eliminate Static AWS Keys from GitHub Actions (Real Pipeline Walkthrough)

Edwin Jonathan — Wed, 06 May 2026 11:45:58 +0000

Static AWS access keys in GitHub Actions secrets is how
production environments get breached.

Here's how I replaced every static key with OIDC federation
for the Damolak Technologies DevOps challenge —
and why you should too.

The Problem With Static Keys

When you do this:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
You have a long-lived credential sitting in GitHub that:

Never rotates automatically
Has blast radius if the repo is compromised
Violates least-privilege by existing at all

The Fix: OIDC

GitHub Actions supports OIDC token exchange with AWS.
Your pipeline requests a short-lived token. AWS validates it
against a trust policy. No stored credentials.

Step 1 — IAM OIDC Provider


hcl
resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
}

Step 2 — Trust Policy (scoped to YOUR repo):
{
  "Condition": {
    "StringLike": {
      "token.actions.githubusercontent.com:sub": 
        "repo:EdwinJdevops/damolak-challenge:ref:refs/heads/main"
    }
  }
}

This means ONLY your main branch can assume this role.
A fork cannot. A PR branch cannot. Exact scope.

Step 3 — GitHub Actions Workflow
permissions:
  id-token: write
  contents: read

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::ACCOUNT_ID:role/github-actions-role
    aws-region: us-east-1
That's it. No secrets stored. Token lives for 15 minutes.

**The Full Pipeline I Shipped
**
OIDC auth → ECR login → Docker build + push →
ECS Fargate rolling deploy → ALB health check
33 AWS resources provisioned by Terraform.
Live endpoint behind ALB.
Zero static credentials anywhere in the stack.
Full repo: github.com/EdwinJdevops/damolak-challenge.

Connect:https://hashnode.com/@jonathandevops
Connect:https://www.linkedin.com/in/edwin-jonathan-1094093b0
Connect:https://x.com/TheCloudDeveng

I Built a Production-Grade Internal Developer Platform at 17 — Full Architecture

Edwin Jonathan — Sun, 03 May 2026 15:23:10 +0000

The Problem

Most engineers deploy to Kubernetes by clicking buttons in a UI.
That's not DevOps. That's manual labor with extra steps.

I built Archnet — a fully automated Internal Developer Platform
that handles deployments, secrets, observability, and self-healing
with zero human intervention after setup.

What is an Internal Developer Platform?

An IDP is the infrastructure layer that sits between your code
and your cloud. It handles:

How code gets deployed
How secrets are managed
How the system monitors itself
How failures get detected and fixed

Most companies pay Humanitec or Backstage $50k+/month for this.
I built it from scratch.

The Architecture:

Developer pushes code to GitHub
↓
GitHub Actions builds + scans the image
↓
Docker image pushed to registry
↓
ArgoCD detects manifest change in Git
↓
ArgoCD syncs to k3s Kubernetes cluster
↓
Prometheus scrapes metrics from all pods
↓
Grafana visualizes — AlertManager fires on anomalies
↓
Loki aggregates all logs

Tech Stack & Why

k3s over kubeadm
Single binary. Boots in under 5 minutes.
Full Kubernetes API. Production-proven by Rancher.

ArgoCD over Flux
Better UI for drift visibility. Multi-cluster support.
Stronger RBAC controls. Built-in auto-remediation.

Sealed-Secrets over HashiCorp Vault
No external dependencies. Secrets live encrypted in Git.
Only the cluster can decrypt. Zero operational overhead.

Prometheus + Grafana over Datadog
Full data ownership. No per-host billing.
Custom retention. Industry standard.

GitHub Actions over Jenkins
No server to maintain. Native Git integration.
YAML pipelines. Free for public repos.

The GitOps Model

Everything is declarative. No imperative commands in production.

You commit a change to Git
ArgoCD detects the drift between Git and cluster state
ArgoCD automatically syncs — no human needed
If a pod crashes, ArgoCD detects and resyncs
Prometheus fires an alert, Grafana shows the anomaly

This is self-healing infrastructure.

Security Hardening

Network policies: default deny all, explicit allow per service
RBAC: least-privilege service accounts per workload
Sealed-Secrets: no plaintext secrets anywhere
Trivy: scans every image before it touches the cluster
Audit logging: every API call recorded

Observability Stack

Three pillars:

Metrics — Prometheus collects from every pod
Logs — Loki aggregates from every container
Alerts — AlertManager fires to Slack on anomalies

Dashboards track: cluster health, pod restarts,
deployment status, ArgoCD sync state, node memory/CPU.

What I Learned

Real DevOps is not about knowing commands.
It's about designing systems that run themselves.

Observability is not optional — if you can't see it,
you can't fix it.

Security must be designed in from day one.
Not bolted on after.

Git is not just version control.
In GitOps, Git is your deployment engine.

The Repo

Full open source: github.com/EdwinJdevops/ARCHNET

Architecture docs, tech decisions, security model,
CI/CD pipeline, Terraform IaC — all documented.

Who I Am

17-year-old self-taught DevOps Engineer from Nigeria.
Building infrastructure that enterprises pay millions for.

Available for DevOps, Cloud, and Platform Engineering roles globally.

If this helped you — share it.
If you're hiring — let's talk.