Episode 21 — Protect automation credentials with short-lived access patterns and guardrails
This episode explains how automation identities in CI/CD, infrastructure-as-code, and scheduled jobs often hold high-impact privileges, making long-lived secrets a repeatable compromise point on both the exam and in real environments. You’ll define durable keys versus short-lived tokens, then connect token lifetime, scope, audience restrictions, and issuance controls to reducing blast radius when something leaks. We’ll walk through a scenario where a pipeline token is accidentally printed into build logs, and you’ll trace how attackers pivot from log access to cloud control-plane actions when guardrails are missing. You’ll learn best practices such as mapping each job step to minimum required permissions, isolating runners, avoiding shared service identities, and restricting tokens so they only work from expected contexts and only for the resources needed. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
