[evantbyrne]

Any CD is going to require some kind of authentication key. To minimize the surface area of a potential leak, create a user in AWS for the tool, only grant it access to the resources needed, and then create a key for that user to place in your CI. You should also enable audit trails in your AWS account so you can monitor for unusual activity.

[ljm]

I do similar with K8S and RBAC. The most common action in a repo is going to be to update a deployment with a new image or resource config, so that’s all it can do.

Still need a more permissive role to manage the cluster in other ways but you can isolate that and limit access to its repo.

[klysm]

You should create a role, not a user IMO. Also how do you manage that role/user? Via terraform?