Securing cloud environments without relying on static secrets is no longer optional—it’s a baseline for trust. In today’s software landscape, breaches like SolarWinds and the Toyota data leak often trace back to long-lived AWS credentials that were committed to repositories or forgotten in CI pipelines. A new approach built for the H0 hackathon flips this model by making temporary, identity-based access the default.
The project, FarmOps Desk, runs on Vercel with Aurora PostgreSQL and Amazon Bedrock AI. Its core innovation? No static AWS keys anywhere in the codebase, deployment, or CI pipeline. Instead, every function and service authenticates using short-lived, cryptographically verified credentials that vanish after 15 minutes. This design turns stolen tokens into dead ends rather than keys to the kingdom.
From Static Keys to Ephemeral Tokens with OIDC
Traditional cloud setups often begin with copying an AWS_ACCESS_KEY_ID into environment variables. While simple, this method introduces persistent risk: once leaked, a credential can be used indefinitely unless manually rotated. The FarmOps Desk project replaces this with OpenID Connect (OIDC), a modern identity protocol that ties access to verified runtime identity.
Here’s how it works:
- When a Vercel function starts, the platform issues a signed OIDC identity token.
- The function presents this token to AWS, which validates it against a trusted identity provider.
- AWS then returns a temporary session credential that lasts just 15 minutes.
Even if an attacker gains access to the Vercel environment, they only obtain a short-lived token—not a master key. And because the token expires quickly, any compromise is self-limiting. This approach turns AWS credentials into disposable “keycards” rather than permanent access passes.
Limiting Blast Radius with Role Isolation
Another common pitfall is over-permissioning: a single IAM role used for everything from database access to AI model invocation. In a breach, such a role becomes a universal pass. FarmOps Desk solves this by splitting permissions into two tightly scoped roles:
- Database Role (`AWS_ROLE_ARN`): Only allows connections to Aurora PostgreSQL. A permission boundary prevents it from ever accessing Bedrock or S3.
- AI Role (`BEDROCK_ROLE_ARN`): Only permits invoking Amazon Bedrock Nova models. It has no access to the database or file storage.
This separation ensures that a bug in the AI code cannot reach the database, and vice versa. If the AI service is compromised, its impact is confined to model inference—no lateral movement into sensitive data. It’s a zero-trust principle applied to IAM design.
Minimal Code, Maximum Security
Modern AWS SDKs and Vercel integrations make keyless authentication practical without sprawling boilerplate. For database connections, the project uses the @aws-sdk/rds-signer SDK to fetch a fresh 15-minute token dynamically for each new connection:
// lib/db.ts
import { RDS } from '@aws-sdk/client-rds-signer';
import { Pool } from 'pg';
const signer = new RDS.Signer({
region: 'us-east-1',
hostname: process.env.PGHOST,
port: 5432,
username: process.env.PGUSER,
});
const pool = new Pool({
host: process.env.PGHOST,
user: process.env.PGUSER,
password: () => signer.getAuthToken(), // Fetches a new token per connection
ssl: true,
});For AI inference, Vercel’s OIDC helper automatically exchanges the function’s identity token for temporary AWS credentials, eliminating the need to store long-term secrets:
// lib/ai/bedrock.ts
import { BedrockRuntimeClient } from '@aws-sdk/client-bedrock-runtime';
import { awsCredentialsProvider } from '@vercel/functions/oidc';
export function getBedrockRuntime() {
return new BedrockRuntimeClient({
region: 'us-east-1',
credentials: awsCredentialsProvider({
roleArn: process.env.BEDROCK_ROLE_ARN!,
}),
});
}No passwords. No static keys. Only ephemeral, role-bound access.
Streaming Voice AI Without Breaking Serverless
FarmOps Desk includes a voice assistant for hands-free interactions—critical for farmers with dirty or occupied hands. Amazon Bedrock Nova Sonic enables real-time bidirectional audio streaming, but serverless platforms like Vercel aren’t optimized for long-lived sessions. By default, HTTP/2 connections time out after a single voice turn.
To solve this, a dedicated Sonic Bridge service runs on a long-lived Amazon EC2 instance. It uses a custom NodeHttp2Handler to extend session timeouts to five minutes, enabling natural conversations while walking through a poultry house or field. The bridge keeps the voice flow smooth without exposing AWS keys or relying on serverless constraints.
Keyless CI/CD for EC2 Deployments
Even deploying to EC2 can introduce static secrets. Traditional GitHub Actions pipelines often store SSH keys or AWS_ACCESS_KEY_ID in repository secrets—a prime target for attackers. FarmOps Desk avoids this entirely by using GitHub’s built-in OIDC provider.
Here’s the process:
- GitHub Actions authenticates to AWS using its OIDC trust policy.
- AWS grants a short-lived session tied to a strictly scoped IAM role.
- GitHub uses AWS Systems Manager (SSM) to securely transfer the deployment bundle and run the rollout script on the EC2 instance.
No SSH keys in GitHub. No static AWS credentials in CI. If the repository is compromised, there’s no permanent key to steal—only a conditional trust that only activates on main branch pushes.
Scaling Safely with RDS Proxy
While the hackathon workload is modest, production serverless systems can overwhelm databases with thousands of concurrent connections. To prevent Aurora PostgreSQL from crashing, the architecture introduces AWS RDS Proxy as a connection multiplexer.
RDS Proxy sits between Vercel functions and Aurora, pooling and reusing connections. It translates hundreds of short-lived function calls into a manageable number of persistent database connections. This pattern is essential for high-traffic serverless applications and is now included in the project’s deployment guide.
Why Zero Static Secrets Are the Future
Keyless authentication isn’t just a security checkbox—it’s a production-grade foundation. Eliminating static credentials removes entire classes of supply-chain attacks while simplifying compliance and auditing. Projects like FarmOps Desk prove that zero-trust identity can be implemented without sacrificing developer experience or deployment simplicity.
For engineering teams building cloud-native applications, the message is clear: if static secrets aren’t in your system by design, they won’t be in your incident report.
The code and architecture are open source, ready to adapt for your next project.
AI summary
AWS projelerinizde statik erişim anahtarları kullanıyorsanız, saldırganların yolunu açıyorsunuz demektir. FarmOps Desk’in OIDC ve geçici rollerle nasıl tamamen anahtarsız dağıtım yaptığını keşfedin.
