As developers and DevOps engineers, we’ve all been there. You have an external service—maybe an Azure Dynamics 365 (D365) business application or a GitHub Actions CI/CD pipeline—that needs to upload a file to Amazon S3 or trigger an AWS Lambda function.

The easiest path? Create an AWS IAM User, generate a pair of static AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials, dump them into your external service secrets, and call it a day.

Stop doing this. 🛑

According to the AWS Well-Architected Framework, long-lived access keys are one of the highest security risks to a cloud environment. If those keys are leaked, hardcoded by accident, or left unrotated, your entire AWS perimeter is compromised.

The solution? Workload Identity Federation via OpenID Connect (OIDC).