The end of long-term credentials
Jerome Kelly

The end of long-term credentials

How to prohibit and replace the use of permanent AWS credentials?

The use of permanent credentials is an extremely common practice with AWS. Injecting the values of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY into environment variables is a simple and reassuring solution for most developers. However, from a security standpoint, this practice is far from ideal. Over time, these sensitive values can leak, and it becomes difficult to control how they are used.

The good news is that there are better alternatives! We’ll start by discussing how to block their creation, and then explain the replacement solutions for the following three areas: developer access, AWS services, and DevOps pipelines.

Restricting Usage

Before even discussing alternatives to permanent credentials, it’s essential to restrict their usage. To do so, the best approach is to use an SCP (Service Control Policy). An SCP is an IAM policy that can be applied to all AWS accounts within an organization.

Responsive Image

Although short, this policy is extremely powerful! It blocks the creation of long-term credentials and IAM users. The strength of an SCP lies in the fact that even a root user cannot override it, thus ensuring compliance across all Thirdbridge projects.

Managing Developer Access

The first challenge to address is managing developer access. Typically, an IAM user is created for each developer. That user can then generate permanent credentials to, for example, run a project locally. The recommended alternative for this use case is to use IAM Identity Center along with AWS Organizations.

Responsive Image

AWS offers the concept of an Organization. Simply put, an Organization is a collection of separate AWS accounts that can be grouped into Organizational Units (OUs). At Thirdbridge, each client project is represented by an OU. Each OU contains two AWS accounts: one for lower environments (dev, uat, staging, etc.) and one for production.

The strength of IAM Identity Center lies in its ability to create a single profile for each developer and assign the necessary permissions based on their role and current responsibilities.

Responsive Image

So, even if a developer works on 10 different projects, they have only one account. When logging into the AWS web console, they do so through a role managed by IAM Identity Center. Finally, if a developer needs an AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to run a project locally, IAM Identity Center can provide temporary credentials that can be used.

Running an AWS Service

A common mistake is manually injecting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY into an AWS service. In reality, AWS services all have an IAM role associated with their execution. Whether it’s ECS, Lambda, or EC2, you should always use the role assigned to the service rather than injecting credentials.

Continuous Deployment

Removing permanent credentials from continuous deployment pipelines is often the most intimidating part for developers. Injecting AWS keys via the secrets management systems offered by DevOps platforms like GitLab and GitHub is an extremely common practice.

However, the recommended approach is to use the OIDC protocol to establish a trust relationship between the DevOps platform and AWS. This not only removes the need for permanent credentials, but also enables much more precise permission scoping. For example, you can assign an IAM role to a specific Git branch, thereby respecting the principle of least privilege.

Since setup can sometimes be a barrier to adopting OIDC, we’ve prepared a detailed step-by-step guide for both GitHub and GitLab.

🔗 Gitlab OIDC

🔗 GitHub OIDC

Conclusion

Restricting the use of permanent credentials in AWS is an essential security practice for any organization aiming for a high level of compliance. While limiting their usage with an SCP is relatively easy to implement, setting up their alternatives can sometimes be more complex.

We hope this short guide will be helpful to other organizations looking to elevate their operational practices with AWS. We’ve kept things high-level to keep it light to read, but feel free to reach out to us for any more specific questions 🙂

share this article

Other articles

May 8, 2025

Personalizing the Mobile Experience: The 5 Essential Pillars

Personalization must be at the heart of digital strategies to ensure the creation of experiences that are engaging, seamless, relevant, and tailored to user needs.

Apr 24, 2025

Why Is Building an App So Expensive?

We've realized there’s a real need for education around the actual costs of designing and developing a digital product.

Apr 4, 2025

CMS for your mobile app?

A quick guide to choosing the right CMS for your mobile app—comparing top platforms and highlighting integration tips for scalability and flexibility.

Mar 17, 2025

Why Apple Hates PWA

PWAs have made progress, but in my humble opinion, most of them offer an experience inferior to their native counterparts.

Feb 18, 2025

AWS, SPA and SEO

How to optimize the SEO of a SPA hosted on AWS

Feb 10, 2025

User Interviews: A Key but Often Overlooked Step

A great idea doesn’t always guarantee success. Before making any decisions, it's essential to consider the actual needs and expectations of end users.

Jan 14, 2025

Modern Password Management

At Thirdbridge, providing peace of mind to our clients is at the heart of our priorities, and we believe it all starts with the reliability of our internal practices and processes.

Oct 24, 2024

Leverage Mobile to Optimize the Online Shopping Experience

The holiday season is a strategic time and a crucial opportunity for businesses to maximize their sales through mobile while enhancing the online shopping experience.

Oct 15, 2024

Pierre-Étienne Bousquet guest of "Les Affaires"

Our president and co-founder, Pierre-Étienne Bousquet, discussed with Jean-François Venne from Les Affaires the significant growth of digital technology in the retail industry and its impact on online sales, which are becoming increasingly crucial for revenue.

Sep 12, 2024

Maximizing Engagement with User-Generated Content

The emergence of user-generated content (UGC) is revolutionizing co-creation. As a key tool in brands' marketing strategies, UGC is changing the way content is created and consumed.

Jul 15, 2024

The Phygital: Rethinking the Retail

Businesses have always had to innovate and rethink their approaches to remain relevant, and this is even more true in the digital age.

Jun 14, 2024

Recruiting an In-House Team or Hiring an Agency for Developing Your Application?

When embarking on a project as significant and important as developing an application, a crucial dilemma quickly arises: choosing between a specialized agency or recruiting your own in-house team to accomplish the work. One thing is certain, both options present distinct advantages and constraints.

Jun 13, 2024

Launching Your Application: The Key to a Well-Planned Budget

Very few digital projects end within their initial budgets and timelines.

May 22, 2024

Optimizing Synergy with Your Software Development Partner

The digital realm, especially that of custom digital solution development, is constantly evolving—between fast technological advancements and changing consumer needs, it's quite challenging to predict what the future holds for web players.

May 6, 2024

Couche-Tard Connecté: The Cashierless Convenience Store

Congratulations to our mobile development team, who gave their all in recent weeks to ensure a smooth launch of the Couche-Tard Connecté project.

Apr 12, 2024

The Thirdbridge Entrepreneurial Scholarship

Thirdbridge is more than proud to be able to support a project and individuals full of promise.

May 7, 2025

GitLab OIDC

How to interact securely with AWS from GitLab.

Apr 23, 2025

Gamification: Turning Engagement into a Performance Driver

Far beyond just playfulness, gamification is a powerful experiential strategy for positively influencing behavior.

Mar 31, 2025

Ratings & Reviews: Their Impact on an App's Success

An app’s success isn’t solely based on meticulous engineering or eye-catching designs. It’s crucial to deliver a product that is high-performing, accessible, useful, and user-friendly, alongside a go-to-market (GTM) strategy tailored to the digital product ecosystem.

Feb 25, 2025

Strategic Workshops: A Tailored Approach to Your Project Needs

Strategic workshops are at the core of our collaborative process, enabling us to co-create relevant and innovative solutions for our clients and their customers.

Feb 18, 2025

Proximity Technologies

Presentation of various technologies enabling mobile applications to interact with the physical world.

Jan 30, 2025

Game Day

It’s crucial to remember that the primary goal is to uncover the blind spots in the project.

Jan 6, 2025

25 Key Trends to Optimize Your Mobile App in 2025

The Thirdbridge team has compiled this article outlining 25 trends to consider for mobile app development or strategy, or any other type of digital product in 2025.

Oct 17, 2024

How to Gauge your Mobile App's performance?

A mobile application is the extension of a brand's customer experience.

Sep 27, 2024

Thirdbridge in La Presse: Vision and Growth

Our President and Co-Founder, Pierre-Étienne Bousquet, was recently the guest of Camille Dauphinais-Pelletier of La Presse, where he shared his thoughts on Thirdbridge's journey.

Sep 4, 2024

The impact of UX research

Integrating user experience (UX) principles and practices into the software or application development process has become crucial.

Jun 26, 2024

Thirdbridge in La Presse

As a business leader, one must ask themselves, "What am I trying to accomplish with my project?" and answer with a vision that extends beyond one's own interests.

Jun 14, 2024

Funding Your Digital Project

It's no secret that realizing your wildest dreams regarding digital innovation within your company brings many benefits.

May 30, 2024

Do You Really Need an Application?

Don't furrow your brows! This is a genuinely good question. Just observe people on the subway, for example, or in a waiting room: almost everyone has a phone in hand, whether to read, text, play, get information, meet a soulmate, order food, or shop...

May 17, 2024

Maximizing Your App's Profitability: Our Advice

Whether you're looking to save time for your users, retain them, or enhance their shopping experience, we're sharing here the three key elements to consider to maximize your return on investment (ROI).

May 3, 2024

Simplified Infrastructures for Enhanced Agility

At Thirdbridge, we believe that project-oriented teams deliver superior quality results, and do so more quickly. Given that they are responsible for the entire value creation flow, these teams can increase their velocity by eliminating bottlenecks themselves. Moreover, entrusting end-to-end flow responsibility to our developer teams makes their work even more engaging and motivating.

Mar 22, 2024

Our 12 tips for succeeding in a software project after 12 years in the industry

Thirdbridge celebrates its 12th anniversary!

May 7, 2025

GitHub OIDC

How to interact securely with AWS from GitHub.

Apr 21, 2025

Passkeys: What are they?

Answers to the most frequently asked questions about Passkeys

Mar 26, 2025

Why a Maintenance Plan?

One of the most overlooked aspects of software development projects is the maintenance phase. A project is rarely ever truly finished; it will continue to require a non-negligible amount of work over time.

Feb 18, 2025

Boost Customer Loyalty: The Power of a Mobile App

Boost customer loyalty and engagement with KPI-focused mobile app strategies, driving measurable results and maximizing ROI.

Feb 13, 2025

Aligning SSO with Business Models

It’s essential to align your business model with the cost structure of the SSO provider. Otherwise, the success of your product could quickly become a financial burden!

Jan 20, 2025

Thirdbridge in the spotlight: L'Arrière-Scène's digital partner

Thirdbridge is proud to announce that it is the official digital partner of JA Hypothèques and their latest project: L'Arrière-scène.

Oct 29, 2024

AI driving innovation: A new Era for Mobile Apps and User Experience

Artificial intelligence (AI) represents a digital transformation that impacts us all. This rapidly advancing technology, fueled by data analysis, not only enables informed decision-making and reliable forecasting but also allows for the completion of many tasks at a faster pace.

Oct 15, 2024

Enhancing Product Management: Key to Success in Software Development

The distinction between product management and project management is essential for ensuring optimal productivity. It’s not enough to treat them as interchangeable concepts; it’s crucial to adopt a proactive approach to place the right resources in the right places.

Sep 24, 2024

Cybersecurity and Mobile Applications: Choosing the Right Authentication Method

Mobile applications are essential tools that handle personal data, access sensitive information, and are part of our daily lives. However, in an age where the term cybersecurity is on everyone's lips, ensuring the security of these applications and the information they contain is crucial.

Aug 9, 2024

PWAs: Test the Potential of Mobile Apps

With the advent of mobile applications, our daily lives have been transformed: these simple tools have become essential facilitators of daily tasks and catalysts for professional and personal interactions.

Jun 18, 2024

Hybrid vs. Native: Making the Right Choice

At Thirdbridge, the preferred development approach is hybrid. But let's delve deeper by comparing hybrid and native development across key stages of application development: costs, performance, security, and maintenance.

Jun 14, 2024

Mastering App Development: A 5-Step Guide to Success

Developing an application isn't something you can just wing. To succeed in this coveted domain, being well-prepared is essential. Unfortunately, a vast majority of large-scale digital projects fail due to inadequate preparation.

May 23, 2024

Tips and Tricks for Sustainable Software Design

When we think about reducing our ecological footprint, our first instinct is to consider the means of transportation we use or our recycling and consumption habits.

May 14, 2024

Succeeding in Your Updates in 5 Steps

Did you know that at least 20% of the development time of an application should be allocated to testing and quality assurance?

Apr 25, 2024

Beyond Launch: Ensuring the Longevity of Your Application

You've diligently followed the development stages of your application and are about to launch it: congratulations! But even though this is a great accomplishment, your job is far from over...