How to Apply IAM to Code Execution

When developers grant a single, overly broad IAM role to a script, a single mistake can expose every downstream service, inflate cloud spend, and make a breach impossible to contain. The cost is not just a blown‑out bill; it is lost trust, regulatory exposure, and the time spent untangling a compromised pipeline.

In many organizations, code execution environments – whether they are CI runners, serverless functions, or remote shells – are launched with static service accounts that have full access to databases, storage buckets, and internal APIs. Those credentials are often checked into repositories or shared in chat, and the execution platform does not record who ran what command or what data was returned. The result is a blind spot: engineers cannot prove that a particular secret was read, and security teams cannot enforce the principle of least privilege at the moment of execution.

Applying IAM correctly means that each execution request should be evaluated against a policy that limits access to the exact resources needed for that specific job, grants that access only for the duration of the run, and records the outcome for later review. Even if you tighten IAM roles, the request still travels directly to the target system, bypassing any real‑time check, without audit, without masking of sensitive output, and without a way to require human approval for risky commands.

To close that gap you need a control point that sits on the data path – a gateway that can inspect, authorize, and log every interaction before it reaches the code execution target. This is where hoop.dev comes into play.

Setup: identity and role definition

The first step is to define who is allowed to request code execution and what IAM roles they may assume. Identity is provided by an OIDC or SAML provider such as Okta, Azure AD, or Google Workspace. Each user receives a short‑lived token that encodes group membership and optional attributes. Those attributes are mapped to the minimal IAM role required for the specific workload. The role itself is stored in the gateway configuration and never exposed to the user or the executing process.

Data path: hoop.dev as the enforcement layer

hoop.dev sits between the identity provider and the execution target – whether that target is an SSH host, a container runtime, or a serverless invoke endpoint. All traffic flows through the gateway, giving it the sole authority to enforce policy. Because the gateway is the only point where the request is examined, it can apply just‑in‑time access, require approval for privileged commands, and block disallowed operations before they ever reach the underlying system.

Enforcement outcomes delivered by hoop.dev

• hoop.dev records each execution session, capturing the user, the command, and the full response for replay.
• hoop.dev masks sensitive fields in command output, preventing secrets from leaking to logs or downstream tools.
• hoop.dev blocks dangerous commands such as destructive deletes unless an authorized approver explicitly grants permission.
• hoop.dev issues just‑in‑time credentials that expire the moment the session ends, eliminating standing access.
• hoop.dev routes high‑risk operations to an approval workflow, ensuring that a human reviews the intent before execution proceeds.

These outcomes exist only because the gateway is in the data path; removing hoop.dev would restore the original blind spot.

Common pitfalls to avoid

1. Granting a service account more permissions than the job requires. Tighten the IAM role and let the gateway enforce the exact scope.
2. Relying on static credentials stored in code repositories. Use the gateway’s short‑lived credentials instead.
3. Disabling session recording for performance reasons. Without a record, you lose forensic capability and compliance evidence.
4. Skipping approval steps for high‑impact commands. The gateway can require multi‑person sign‑off without adding latency to normal workloads.

Addressing these pitfalls early prevents accidental over‑privilege and ensures that every execution is auditable and reversible.

Getting started

Review the getting‑started guide to deploy the gateway, configure your OIDC provider, and define the minimal IAM roles for your code execution workloads. The learn section provides deeper coverage of masking policies, approval workflows, and session replay.

When you are ready to explore the implementation details, contribute, or raise an issue, visit the open‑source repository on GitHub: hoop.dev on GitHub.

FAQ

What does IAM for code execution actually protect?

It limits the actions a script or user can perform at runtime, ensures credentials are short‑lived, and guarantees that every command and its result are recorded for audit.

How does hoop.dev enforce least‑privilege without changing existing scripts?

By acting as a transparent proxy, the gateway injects just‑in‑time credentials and validates each request against the defined policy before the target sees the command.

Can I retroactively audit runs that happened before I deployed the gateway?

No. The gateway can only record sessions that pass through it. Historical runs without a data‑path proxy remain unrecorded, which is why deploying the gateway early is critical for continuous compliance.