TELEPORT MACHINE & WORKLOAD IDENTITY
Secure CI/CD Pipelines
Trusted by Market Leaders
CI/CD Pipelines Are Automated Superusers
Platform and app teams use CI/CD pipelines to automate delivery across environments—triggering builds, rollouts, and configuration changes with minimal human touch.
But access in these pipelines is still injected upfront—shared across environments, reused by downstream jobs, and disconnected from the job that triggers them.
Teams pass tokens between stages, reuse runner-level roles, and wire in secrets that outlive the tasks they were meant to support.
Jobs trigger builds, run tests, and deploy to prod—but the access they carry is rarely authorized based on who triggered them, what they’re performing, or whether they were allowed to act in the first place.
CI/CD pipelines are one of the most widespread forms of non-human identity, effectively automated superusers—and yet, they remain one of the least governed surfaces in modern infrastructure.
Even with Vaults and secret rotation, access still gets wired in early—before anyone knows what the job will actually do. Access is granted before it's needed. Credentials persist long after the job ends. Nothing ties the action to the system that performed it.
Teams are stuck: ship quickly, or let every job run without runtime identity or rules that authorize what the job can to do:
• App teams inherit broad privileges with no job-level authorization in order to ship fast
• Platform teams try to isolate environments, but end up managing fragile glue code
• Security teams want proof of access—but logs capture what happened, not who initiated it, or whether they were authorized to act
When pipelines run without identity, a single token can unlock everything it touches.
CI pipelines are meticulously engineered: runners segmented, modules hardened, secrets vaulted. But when the job runs, the access model still falls short. Credentials are often reused,, accepted without verifying what system requested them or why, and issued with broad standing privileges.
Platform teams try to minimize exposure by injecting credentials per job, but end up managing fragile secrets logic across every CI system. Security teams audit logs that show what happened—but identity isn’t present to pinpoint who was authorized to act . App teams inherit global IAM roles just to get something out the door, and then get blocked when they try to isolate environments cleanly.
Teams are stuck with pipelines that operate with no isolation, no expiration, and no way to verify if a job should run at all.
Real-World Incident
A CI token leaked from a compromised runner. It granted access to hundreds of internal environments because it wasn’t tied to a repo, a job, or a time window. No exploit. No lateral movement. Just a credential that was accepted everywhere.
The Solution: Infrastructure Identity
Infrastructure Identity gives each CI job its own short-lived identity, instantiated by the runtime context—like the pipeline, environment, or triggering commit—that initiated the job.
Instead of injecting tokens or reusing static roles, pipelines receive cryptographic identity at the moment of execution—issued just in time, limited in duration, and governed by policy from start to finish.
Jobs run with their own identity—authorized only for what they are, when they run, and what they’re allowed to do.
Why It's Different
Most CI/CD security tries to manage secrets more safely—rotating tokens, scanning for leaks, or limiting environment variables.
Teleport eliminates secrets from the execution path entirely by introducing identity where access actually happens: at runtime.
Pipelines don’t receive static credentials—they’re issued cryptographic identity, instantiated for the job and authorized at execution.
How It Works
When a CI pipeline starts, the runner requests a cryptographic identity from Teleport—instantiated for that job and with attestation to the repo, commit, or tag that triggered it.
That identity is:
Requested by the runner at execution time, not injected in advance or carried from an earlier stage
Bound to the job, commit, and triggering event, not inherited from global IAM roles or shared between pipeline stages
Enforced per step, so each stage runs with its own identity—not one credential passed end-to-end
Time-limited, automatically expiring when the job completes
Logged with full attribution, so teams can trace what triggered the job, what it accessed, and whether it was authorized
Static credentials are removed from runners entirely.
Each job runs with identity—issued at execution, enforced by policy, and traceable to the system that acted.
CI/CD becomes not just fast,
but governable.
This change doesn’t just make CI/CD safer—it gives each team tighter control and less overhead.
• Platform teams stop maintaining secret injection logic across runners and pipelines. Access is managed by policy, not config files.
• App teams can ship quickly without inheriting global IAM roles or being blocked on credentials.
• Security teams gain session-level attribution for every deployment, enforced at the moment of execution.
Automation is the New Attack Surface
Securing Non-Human Identities (NHIs) at the Infrastructure Layer
Modern infrastructure moves fast. Automation now powers nearly every critical system — from provisioning environments with code, to deploying software through pipelines, to scaling workloads across distributed services and AI agents.
But beneath that velocity lies an expanding layer of risk that’s often invisible: non-human identities (NHI). Download this paper to learn more.
Learn More
More Machine & Workload Identity Use Cases
Secure CI/CD Pipelines
Learn more
Streamline IaC Deployments
Learn more
Multi-Cloud Workloads
Learn more
Automation at Scale
Learn more
Ready to Teleport?
LEARN MORE
Additional Resources
Press Release
Introducing Teleport Machine & Workload Identity
Teleport, the Infrastructure Identity Company, today announced the introduction of Teleport Machine & Workload Identity, a breakthrough solution that provides seamless authentication, authorization, and access control for non-human identities across modern infrastructure environments.
Teleport Resources
Teleport Workload Identity with SPIFFE
Watch this deep dive into Teleport Workload Identity with SPIFFE, where we explore how to secure inter-service communication with cryptographic workload identities. Learn how to eliminate static credentials, enforce least-privilege access, and achieve zero-trust security for modern infrastructure.
Teleport Documentation
Teleport Machine & Workload Identity Documentation
Learn how to secure your workloads with cryptographic identity. Explore the Teleport Machine and Workload Identity developer documentation.