In cloud environments, static and long-lived credentials are highly discouraged as they often get leaked and are the cause for most publicly known cloud data breaches. To solve this problem, cloud providers such as AWS, Azure and Google Cloud support "keyless authentication" through OpenID Connect (OIDC), allowing you to exchange JSON Web Tokens (JWTs) signed by trusted identity providers for cloud credentials. Keyless authentication is especially popular for CI/CD, and enables pipelines to seamlessly authenticate to a cloud environment.

Keyless authentication is easy to configure—and unfortunately, to misconfigure. In this talk, we demonstrate that AWS IAM roles using keyless authentication are, in many cases, insecurely configured and allow unauthenticated attackers to retrieve cloud credentials and further compromise the environment. We share our research where we have identified dozens of vulnerable roles in the wild; in particular, we were able to compromise AWS credentials of an account belonging to the UK government, and pivot from there to an internal code repository. Finally, we showcase not only how to identify vulnerable roles in your environment, but also how to use higher-level guardrails to ensure that a human mistake doesn't turn into a data breach.