Building Scalable Enterprise Secrets Management with GitHub OIDC and HashiCorp Vault

Software build pipelines are increasingly a vector for abuse, and storing long-lived credentials in solutions like GitHub Secrets adds risk and logistical challenges. GitHub OIDC authentication to Vault solves this by allowing teams to generate short-lived, dynamic tokens scoped to very fine-grained authorization grants. It is one thing to configure a single repository and quite another to construct a program scaling to hundreds or thousands of repositories and developers. In this talk, you will learn how to leverage an OIDC configuration with Vault as a building block to design (or upgrade!) a paved path enterprise-scale secrets management program. This developer-first approach provides stronger security guarantees than traditional “secret zero” mitigations while enabling smoother adoption for developers and simpler management and auditability for operators.

Software build pipelines are increasingly a vector for abuse, and storing long-lived credentials in solutions like GitHub Secrets adds risk and logistical challenges. GitHub OIDC authentication to Vault solves this by allowing teams to generate short-lived, dynamic tokens scoped to very fine-grained authorization grants.

It is one thing to configure a single repository and quite another to construct a program scaling to hundreds or thousands of repositories and developers. In this talk, you will learn how to leverage an OIDC configuration with Vault as a building block to design (or upgrade!) a paved path enterprise-scale secrets management program. This developer-first approach provides stronger security guarantees than traditional “secret zero” mitigations while enabling smoother adoption for developers and simpler management and auditability for operators.