You've been giving GitHub a key to your Azure. Here's how to stop.

The old way ships a password with every deploy. Workload Identity Federation makes that the last problem you'll ever have. For a long time, I thought I was doing CI/CD security right. App registration? Created. Client secret? Generated. GitHub secret? Stored. Pipeline? Green. Clean. Neat. Ticking every box. What I hadn't noticed: I had handed GitHub a master key to my Azure environment, sitting in a secret store, expiring every 12 months, and one misconfigured permissions screen away from a bad day. Most Azure deployments work exactly like this. Most teams have never thought twice about it. And honestly? Neither had I, until I asked what felt like a stupid question: Why are we giving machines passwords at all? That question leads somewhere much more interesting than I expected. This post is about what I found, and why the answer will change how you think about service-to-service authentication entirely. The thing everyone gets comfortable with (that they shouldn't) Here is how almost e