AWS without Access Keys

Source: fly.io Date: 2025-02-12 URL: https://fly.io/blog/oidc-cloud-roles/

Summary

Engineering writeup announcing OIDC-based credentialless AWS authentication for Fly Machines. When AWS_ROLE_ARN is set as an environment variable, Fly’s init process automatically requests an OIDC token from Fly’s identity provider, writes it to disk, and configures the AWS SDK’s credential chain to exchange it for short-lived STS credentials — no static access keys required. IAM trust policies can scope access to specific Fly organizations, apps, or individual machines.

Implications

Infrastructure substrate / security. This is the credential management primitive that agent-heavy workloads need. Agents that call AWS services (S3, Bedrock, SageMaker) currently require static access keys, which are a significant blast-radius risk if exfiltrated from an agent’s environment. OIDC-based short-lived credentials rotate themselves, fail closed, and can be scoped to a specific machine instance. The automatic injection (no SDK configuration needed) means this works in existing agent code without modification. For the radar, this is a template for how cloud providers should handle credentials in agent environments — the alternative (static keys in secrets) is the pattern that gets breached.