Deploy From CI: Paste AWS Keys Into GitHub Secrets?
Your GitHub Actions pipeline needs to deploy to AWS. A teammate wants to paste a long-lived IAM access key into repo secrets. Defend the better option.
the decision you defend
The deploy job needs AWS permissions. A teammate created an IAM user, generated an access key and secret, and wants to store them as GitHub Actions secrets so the pipeline can deploy. Do you agree, and what do you do instead?
the situation
Your service is deployed to AWS from a GitHub Actions workflow. The deploy job currently fails because it has no AWS credentials. A teammate has created an IAM user named ci-deployer, generated an access key ID and secret access key, and is about to add them as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in the repository's Actions secrets.
context
The repository is private. The deploy needs to push a container image to ECR and update an ECS service. The teammate attached a broad policy to the IAM user to be safe and avoid permission errors mid-deploy. There is no key rotation process in place yet. The organization has several other repos that could later reuse the same pattern.
How this challenge works
Take a position on the decision above and defend it. A senior-engineer AI will push back over up to 5 rounds. When you are done, you are scored against a verified rubric so you can see exactly what a complete answer covers - these are learning prompts, not gotchas.