Solving the Non-Human Trust Problem in Modern Environments

Read full article here: https://goteleport.com/blog/your-infrastructure-has-a-non-human-trust-problem/?utm_source=nhimg

Modern infrastructure is increasingly run by automated systems, not humans. Bots push code. Runners deploy to production. Agents orchestrate cloud resources. AI models trigger actions directly through prompt-driven automation.

Welcome to the era of non-human identities (NHIs)—the invisible workforce operating behind modern digital systems.

The problem? While human users authenticate with SSO and MFA, most NHIs still access critical resources with static credentials, excessive permissions, and minimal oversight. This creates security risks and threatens infrastructure resiliency.

Teleport Machine & Workload Identity was designed to bring order, trust, and traceability to non-human access, replacing static secrets with short-lived, cryptographic identities to enable secure, scalable automation.

Below, we explore four common use cases where Teleport helps organizations regain visibility and control over NHIs.

1-Securing CI/CD Pipelines

CI/CD pipelines are fast and repeatable, but often operate with more trust than is warranted. Automation tools like GitHub Actions, Jenkins, or GitLab runners push containers, run migrations, and deploy infrastructure—but many still rely on hardcoded secrets: long-lived tokens, shared SSH keys, or environment variables that are rarely rotated.

Teleport solution:

• Issues short-lived certificates to CI/CD runners and bots.
• Credentials are time-bound, job-specific, and tightly scoped.
• Eliminates static tokens and SSH keys.
• Logs all machine-to-machine activity for full auditability.

Example Workflow: Deploying a container to Kubernetes from GitHub Actions:

1. Enroll the runner as a trusted workload with a just-in-time identity token via GitHub App integration.
2. Runner fetches a short-lived x.509 + SSH identity using Teleport’s tbot.
3. tbot writes ephemeral credentials (e.g., kubeconfig, AWS creds) valid for 20 minutes.
4. Workflow uses the ephemeral credentials to deploy the container.
5. No static secrets are stored, passed, or rotated manually—ensuring ephemeral, auditable, identity-based automation.

2-Infrastructure-as-Code (IaC) Deployment

IaC tools like Terraform, Pulumi, or CloudFormation manage critical infrastructure, but often rely on cloud service accounts with broad permissions or injected environment secrets.

Teleport solution:

• Issues ephemeral, per-job certificates tied to cryptographic identity.
• Enforces least privilege per repository, deployment, and environment.

Example: Terraform deploying to AWS from GitHub Actions:

1. Configure GitHub Actions as a trusted workload via Teleport’s GitHub OIDC integration.
2. On job start, runner uses tbot to fetch a short-lived identity with an AWS role assumption policy.
3. AWS credentials are valid for 15–20 minutes, scoped to a single role.
4. AWS access is enforced via Teleport roles, not static IAM keys.

3-Federated Identity Across Multi-Cloud

NHIs often need access across AWS, GCP, Azure, and edge environments, but each provider has its own identity system. Federation is complex and error-prone.

Teleport solution:

• Acts as a unified identity authority for machines and workloads.
• Issues standard cryptographic identities (x.509 certificates with SPIFFE ID) across environments.
• Ensures uniform authentication, simplified governance, and reduced misconfiguration risk.

Example: A GCP workload accessing an AWS resource:

1. GKE workload runs a sidecar with Teleport’s Machine & Workload Identity agent.
2. Agent authenticates and receives an x.509 certificate with SPIFFE ID.
3. Workload calls AWS API via mTLS and assumes roles using STS.
4. All access logs, policies, and expirations are managed centrally.

Certificates are multi-purpose: the same credential can be used across services, including databases or internal APIs.

4-Securing Model Context Protocol (MCP)

The Model Context Protocol (MCP) allows LLMs to securely access infrastructure context and tooling. Without strong identity controls, MCP-enabled systems risk exposed secrets, unauthorized actions, and prompt injection attacks.

Teleport solution:

• Issues short-lived cryptographic identities to AI agents and model contexts.
• Applies zero trust principles for every query or action.
• Ensures full traceability from LLM prompt to action.

Example: Internal LLM agent querying logs and restarting Kubernetes pods:

Bring Trust to NHIs Everywhere

Teleport Machine & Workload Identity addresses the challenges of non-human identities in modern infrastructure.

By replacing static credentials with ephemeral, cryptographic identities:

• CI/CD automation becomes secure and auditable
• Infrastructure provisioning follows least privilege principles
• Multi-cloud federation is simplified
• AI agents and MCP workflows are trusted and controlled

The result? Engineers move faster, infrastructure resiliency improves, and non-human identities are efficiently managed and secured.