Non-human identity: what it means for your least privilege (on CI/CD pipelines)

Most CI/CD pipelines start with a single service account that every job shares, and the account is granted wide‑ranging permissions to databases, storage, and clusters, violating the principle of least privilege. The secret for that account lives in configuration files, environment variables, or even the repository itself, so it travels with the code, appears in logs, and can be extracted from container images. When a compromise occurs, the attacker inherits every permission the shared account holds, turning a single build failure into a full‑blown breach.

Teams often try to tighten the situation by creating a few more service accounts, but they still rely on static credentials that are handed to the pipeline at start‑up. The identity provider authenticates the job, yet there is no point in the network where the request can be inspected, masked, or recorded. The pipeline reaches the target directly, so any over‑reach happens unchecked and no reliable audit trail exists.

What is missing is a data‑path enforcement layer that sits between the non‑human identity and the infrastructure. The setup – OIDC tokens, purpose‑built service accounts, and least‑privilege role definitions – decides who may start a request, but it cannot enforce that the request stays within its bounds. Without a gateway, you cannot apply command‑level audit, inline masking of secrets, just‑in‑time approval for risky operations, or immutable session recordings.

hoop.dev as the identity‑aware gateway

hoop.dev fills that gap by acting as the only point where traffic between a CI job and its target passes. It validates the OIDC or SAML token issued by the identity provider, reads the groups or roles attached to the service account, and then enforces policy at the protocol level. Because hoop.dev occupies the data path, it can:

• Record each pipeline session, producing a replayable audit log that ties every command to the specific non‑human identity.
• Mask sensitive fields, such as database passwords or API keys, in responses before they reach the CI job.
• Require just‑in‑time approval for high‑risk operations, routing the request to a human reviewer while the rest of the pipeline continues.
• Block disallowed commands outright, preventing accidental or malicious misuse of credentials.

All of these outcomes exist only because hoop.dev sits in the gateway position. The setup – OIDC federation, service‑account creation, and least‑privilege role definition – remains necessary to decide who may start a request, but the enforcement lives in hoop.dev.

How the pieces fit together

1. Define a purpose‑built service account for each pipeline stage. Use your identity provider to issue short‑lived OIDC tokens that carry only the permissions needed for that stage. This is the setup that determines who the request is.

2. Deploy hoop.dev inside the network where the target resource resides. The gateway holds the static credential for the downstream system, so the pipeline never sees it. This creates the data path where enforcement can happen.

3. Configure policies in hoop.dev that map token attributes to allowed commands, required approvals, and masking rules. When a pipeline step initiates a connection – for example, a PostgreSQL migration – hoop.dev inspects the traffic, applies the policy, and records the session.

4. Review audit records in the hoop.dev console or export them to your SIEM. Because hoop.dev records every session, you have concrete evidence for each pipeline run, satisfying internal reviews and external auditors.

By separating identity definition from enforcement, you achieve true least privilege for non‑human identities. The pipeline runs with just enough rights, any overreach is stopped at the gateway, and you retain a complete, searchable audit trail.

Getting started

To try this approach, follow the getting started guide that walks you through deploying the gateway, registering a CI/CD connection, and defining a simple least‑privilege policy. The learn section contains deeper examples of masking, approval workflows, and session replay.

FAQ

Do I still need to rotate service‑account credentials?

Yes. hoop.dev stores the credential and presents it to the target, but rotating the underlying secret reduces the impact of a potential breach. Because the credential never leaves the gateway, rotation can be done without changing pipeline code.

Can I use hoop.dev with existing CI/CD tools?

Absolutely. hoop.dev works with any client that speaks the native protocol – psql, kubectl, docker, ssh, etc. You point the tool at the gateway endpoint instead of the raw target, and hoop.dev handles the rest.

What audit data does hoop.dev retain?

hoop.dev records each command, the identity that issued it, timestamps, and any masked response fields. Those records can be exported for compliance reporting or fed into a SIEM for continuous monitoring.

Explore the source code on GitHub to see how the gateway is built and contribute your own policies.