Practice free →
HomeAWS Solutions Architect Associatecloudcomputingsecurearchitectures › A team wants short-lived credentials (15 minutes…

A team wants short-lived credentials (15 minutes) for an external CI/CD system running OUTSIDE AWS so it can deploy CloudFormation stacks. Which approach is BEST?

ACreate a long-lived IAM user with admin permissions and store its access key in the CI/CD pipeline's environment variables
BDisable IAM and trust the pipeline by IP address only
CConfigure an IAM identity provider (OIDC) for the CI/CD system, define an IAM role with a trust policy, and let the CI/CD pipeline assume the role via STS
DHard-code the AWS root account access key into the CI/CD pipeline
Answer & Solution
Correct answer: C. Configure an IAM identity provider (OIDC) for the CI/CD system, define an IAM role with a trust policy, and let the CI/CD pipeline assume the role via STS
OIDC federation lets external systems (GitHub Actions, GitLab CI, etc.) assume an IAM role and receive short-lived STS credentials — no static AWS keys outside AWS. The other options leak long-lived keys, including the root account, or remove auth entirely.
Solve this in the app — AWS Solutions Architect Associate practice & 24k+ MCQs →
Related questions