Credential Handling
DevOps Genie uses different credential types for different workflows. Keep each credential scoped to the job it performs.
Cloud account credentials
Cloud account credentials are used for platform-side scanning and compliance. Use read-oriented access wherever possible.
| Provider | Credential shape |
|---|---|
| AWS | IAM role ARN with organization-specific External ID. |
| GCP | Service account JSON key with read-oriented roles. |
| Azure | App registration with Reader access to the subscription. |
Agent credentials
The DevOps Genie Agent uses an API key to authenticate to your organization. Store it in a Kubernetes Secret or external secret manager.
Image pull credentials
The agent chart needs image pull credentials for DevOps Genie images. Store them in a kubernetes.io/dockerconfigjson Secret or equivalent external secret flow.
VCS credentials
VCS credentials are needed for pull-request based workflows. Store them in your cluster's secret management path and grant only the repository permissions required for the workflows you enable.
Rotation
Rotate credentials when:
- A user with access leaves the organization.
- A token is exposed.
- Your internal policy requires scheduled rotation.
- You move from test to production setup.