"A deployment starts failing late on a Friday evening. The initial assumption is that something changed in the application release. Teams start checking container images, Terraform plans and recent commits. Nothing looks wrong. A few hours later, someone discovers the actual issue: a deployment token tied to an old automation workflow expired months ago. The token was still being used by a pipeline nobody realized was active. The original engineer who created it had already moved to another team."
"Situations like this are becoming normal in modern delivery environments. Not because organizations suddenly lost visibility into human access, but because CI/CD systems now create machine identities constantly. Most of them are temporary. Some become permanent without anyone planning for it. A few years ago, infrastructure access mostly revolved around employees, administrators and service accounts that teams could track manually. That model no longer holds up very well."
"Today's pipelines rely on build runners, deployment bots, ephemeral workloads, repository integrations, infrastructure automation accounts and short-lived cloud credentials moving across multiple systems at once. Some exist for minutes. Others stay around for years after their original purpose disappeared. The harder part is figuring out how much access quietly exists between systems. Most organizations can usually tell you which employees still have production access. Tracking older automation workflows, deployment runners and pipeline credentials is often much less clear."
"Modern software delivery pipelines create and consume identities almost nonstop. A single deployment workflow may involve: repository actions build runners container registries cloud workload identities Kubernetes service accounts infrastructure automation tools artifact signing systems secret managers deployment orchestrators Each step often introduces another credential, acc"
A deployment fails late on a Friday evening, initially suspected to be caused by changes in the application release. Teams check container images, Terraform plans, and recent commits, but nothing appears wrong. Hours later, the root cause is found: a deployment token tied to an automation workflow that expired months earlier. The token was still being used by a pipeline that nobody realized was active, and the original engineer who created the workflow had moved teams. This pattern is becoming common because CI/CD systems generate many machine identities that are temporary, and some become permanent without deliberate planning. Access between systems becomes difficult to measure as pipelines rely on runners, bots, ephemeral workloads, integrations, automation accounts, and short-lived cloud credentials across multiple systems.
Read at DevOps.com
Unable to calculate read time
Collection
[
|
...
]