Skip to content

PATTERN Cited by 1 source

Token broker for CI credentials

Problem

CI/CD workflows need credentials to access repositories, registries, and cloud services. Storing long-lived tokens (GitHub App private keys, Personal Access Tokens, cloud API keys) as repo secrets or on runner filesystems creates a blast-radius problem: a single leaked credential grants broad, long-duration access from anywhere.

Pattern

Deploy a centralized token broker service that CI jobs call at runtime to obtain short-lived, finely-scoped credentials for the specific operation they need to perform. No secrets at rest on runners or in CI configuration.

Shape

  1. CI job starts with only the ability to authenticate to the token broker (e.g., via OIDC identity or runner-level mTLS)
  2. Job requests a credential scoped to the specific operation (e.g., "push to repo X", "read from registry Y")
  3. Broker validates the request against policy (repo, workflow, branch, operation type)
  4. Broker issues a short-lived token with minimal permissions
  5. Token expires after the job completes (or within minutes/hours)

Relationship to OIDC federation

patterns/short-lived-oidc-credentials-in-ci is the same principle applied to cloud providers (AWS, GCP) via direct OIDC token exchange. A token broker adds a layer of indirection โ€” useful when the target system (e.g., GitHub itself) doesn't support direct OIDC federation, or when you need centralized policy enforcement across heterogeneous targets.

Grafana's adoption (2026)

After the TanStack supply chain incident, Grafana Labs made token-broker adoption a prerequisite for "thawing" each repository from the global code freeze. Repos could not resume normal operations until they had transitioned from static secrets to broker-issued short-term credentials. This made the code freeze a forcing function for universal adoption (Source: sources/2026-06-24-grafana-post-incident-review-tanstack-npm-supply-chain-ransom).

Trade-offs

  • Benefit: Eliminates credential-at-rest risk; limits blast radius to one operation's scope and duration
  • Benefit: Centralized audit log of all credential issuance
  • Cost: Adds a runtime dependency โ€” if the broker is down, CI is down
  • Cost: Initial migration effort (Grafana: 1,500 security PRs, 280 app audits)
  • Mitigation: Broker must be highly available; fallback posture is "deny" (fail closed)

Seen in

Last updated ยท 559 distilled / 1,651 read