How/Why OIDC works at LocalOps for AWS access
LocalOps no longer accepts IAM access keys now. We switched to using OAuth 2.0 protocol/Open ID Connect and Role-based access to connect to AWS. Checkout announcement post for more details.
Traditionally, to enable tools (like LocalOps) to connect to cloud accounts, one can generate and share access keys, say in AWS - AWS Access key and AWS Secret key. These keys belong to an IAM user who is given specific permissions via an IAM policy to do specific operations within the AWS account. These keys can then be used inside AWS SDK to start making API calls to the corresponding AWS account to provision infrastructure, create EC2 instances or perform any other operation.
Keys can be stolen or leaked. Keys can be used by anyone as long as they hold them, they will be allowed to make calls to the AWS account. When keys live for long term, it increases the probability of someone finding and mis-using those keys.
Key rotation may mitigate these risks. Security frameworks like SOC2 recommend this process in general. Account owners can delete the old keys and generate a new key pair regularly, to ensure old keys don't work even if they were leaked in the past.
