Feature Requests

I would like to be able to checkout over HTTPS rather than be forced to use SSH by default. CCI-I-966

grebols wrote: It would be nice to be able to replace the hardcoded and long lived AWS credentials you’re currently offering for access AWS APIs with the ability to assume a cross-account role with STS? for an example how datadog did it: https://docs.datadoghq.com/integrations/amazon_web_services/#installation CCI-I-709

A key security aspect of OIDC tokens is that an issuer provide them with audience fields specific to the third-party they will be used to autheniticate with. For example: A token issued to authenticate to AWS should have an audience set to sts.amazonaws.com for example. This ensure that tokens issued to authenticate with one party and not abused to authenticate against a different one should the token be leaked accidentally. It would be awesome if the OIDC tokens now injected into builds in the CIRCLE_OIDC_TOKEN environment variable could have specific audiences set instead of the current Org UUID which provide no additional meaningful information to create policy information against (indeed it is already encoded in the subject).

In light of the recent incident, can we get the option to set an account level security contact that would be notified. In our case, this would be sent to PagerDuty for an on call engineer to investigate.

Allow OIDC token to authorize API requests when using AWS API Gateway. https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html#http-api-jwt-authorizer.evaluation

We currently have to put in lots of credentials to different builds to let it integrate with various services. With the advent of things like Service Meshes, we'd love for CircleCI to provide every build with a JWT containing all of the relevant info, signed by CircleCI, with that public key published etc. I imagine the info bound inside the JWT would be things like: branch tag Job/Pipeline URLs repo org job This would let us use things like https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/ to say, allow access to certain endpoints by specific CircleCI jobs or repositories, without needing to manually set up credentials on both sides.

When we have a deploy job to production, we need only Managers to approve the workflow. Currently anybody following the project can approve the workflow. Better still can you trigger a email with the approval link? CCI-I-352

At the moment you can create: https://circleci.com/docs/api/#create-ssh-keys and delete: https://circleci.com/docs/api/#delete-ssh-key SSH key's -- however you are unable to GET existing SSH key fingerprints for a project.This request is to implement the ability to GET the additional SSH keys associated with a project, similar to what you can do for deploy and user keys: https://circleci.com/docs/api/#list-checkout-keys CCI-I-1588

It would be great to see an audit log for all changes made to a project (SSH keys, Environment variables, etc) and who made them. Similar to the audit log GitHub offers for an organization. CCI-I-392

ED25519 is a standard on SSH supported now for some years. When wanting to debug through SSH a container, it kinda bothers me to add a RSA key on my Github account just to debug something on Circleci... CCI-I-242