CI/CD Lesson 37 – CI/CD in Cloud Environment | Dataplexa

CI/CD Course

I. CI/CD Fundamentals
1. What is CI/CD 2. Software Development Lifecycle 3. Problems with Traditional Deployment 4. Continuous Integration 5. Continuous Delivery 6. Continuous Deployment 7. CI vs CD 8. CI/CD Pipeline Overview 9. Benefits of CI/CD 10. CI/CD in Modern DevOps
II. CI/CD Pipeline Concepts
11. Source Code Management 12. Build Automation 13. Dependency Management 14. Artifact Management 15. Automated Testing 16. Test Types in Pipelines 17. Code Quality & Static Analysis 18. CI/CD Pipeline Stages 19. Environment Promotion 20. Rollback Strategies
III. CI/CD Architecture & Security
21. CI/CD Architecture Design 22. Pipeline as Code 23. Secrets Management 24. Environment Variables & Configs 25. Secure CI/CD Pipelines 26. Access Control & Permissions 27. CI/CD with Containers 28. CI/CD with Docker 29. CI/CD with Kubernetes 30. Monitoring CI/CD Pipelines
IV. Enterprise CI/CD & Real-World
31. CI/CD for Microservices 32. CI/CD for Monolithic Applications 33. Blue-Green Deployments 34. Canary Deployments 35. Feature Flags 36. Infrastructure as Code in CI/CD 37. CI/CD in Cloud Environments 38. CI/CD Best Practices 39. CI/CD Anti-Patterns 40. Mini Project
Section IV · Lesson 37

CI/CD in Cloud Environments

In this lesson

Cloud CI/CD Patterns OIDC Authentication Cloud-Native Services Multi-Cloud & Multi-Region Cost & Compliance

CI/CD in cloud environments is the practice of designing pipelines that integrate natively with cloud provider services — authentication systems, container registries, deployment targets, secrets managers, and artifact stores — to build, test, and deploy applications to AWS, GCP, Azure, or multi-cloud infrastructure. Cloud providers offer services that replace or augment every component of a traditional CI/CD pipeline, from managed container registries to serverless deployment targets to native secrets management. Understanding how to use these services securely — particularly for authentication — is what separates pipelines that are cloud-native from pipelines that happen to run against cloud infrastructure.

OIDC Authentication — The Cloud-Native Credential Model

The single most impactful cloud CI/CD pattern is using OpenID Connect (OIDC) for pipeline-to-cloud authentication, as introduced in Lesson 23. Every major cloud provider supports OIDC federation with GitHub Actions, eliminating the need to store long-lived cloud credentials in GitHub Secrets. The pipeline proves its identity to the cloud provider through a cryptographically signed token issued by GitHub, receives a short-lived session credential, uses it for the duration of the job, and leaves nothing behind that could be leaked or misused.

OIDC Authentication — AWS, GCP, and Azure Compared

Provider
GitHub Action
Trust Policy Scope
AWS
aws-actions/configure-aws-credentials
IAM role trust policy — restrict by repo, branch, and environment
GCP
google-github-actions/auth
Workload Identity Pool — attribute conditions restrict by repo and ref
Azure
azure/login
Federated credentials on App Registration — restrict by repo, branch, or environment

The Visitor Badge Analogy

A permanent employee badge lets someone enter the building every day indefinitely — if it is lost or copied, the risk persists until the badge is deactivated. A visitor badge is issued at the reception desk, scoped to specific areas, and expires at the end of the day — even if it is copied, it is useless tomorrow. OIDC authentication issues visitor badges to pipeline jobs: scoped to exactly what the job needs, valid only for the duration of the job, and automatically expired when it ends. No permanent credentials to rotate, leak, or accidentally commit.

Cloud-Native CI/CD Services

Each major cloud provider offers a suite of CI/CD-adjacent services that pipelines can integrate with natively. Using these services — rather than running equivalent open-source tools on a generic runner — typically provides better performance, tighter IAM integration, and reduced operational overhead. Understanding what each provider offers helps teams make informed decisions about whether to use cloud-native services or portable open-source alternatives.

Cloud-Native CI/CD Services by Category

Category
AWS
GCP
Azure
Container Registry
ECR
Artifact Registry
ACR
Secrets Manager
Secrets Manager / SSM
Secret Manager
Key Vault
Deployment Target
ECS / EKS / Lambda
Cloud Run / GKE
App Service / AKS
Config Store
Parameter Store
Runtime Config
App Configuration
Native CI/CD
CodePipeline / CodeBuild
Cloud Build
Azure DevOps / GitHub Actions

Multi-Region Deployments — Patterns and Pipeline Implications

High-availability applications often deploy across multiple cloud regions — to reduce latency for geographically distributed users, to provide failover if a region becomes unavailable, or to satisfy data residency requirements. Multi-region deployments require a pipeline architecture that can deploy the same artifact to multiple targets in sequence or in parallel, with rollback coordination across regions.

The safest multi-region rollout pattern is sequential with a canary region first — deploy to a low-traffic region, monitor for 15–30 minutes, then deploy to all remaining regions. This provides the benefits of a canary deployment at the region level: if the new version causes problems, only a fraction of global traffic is affected before the rollout is halted. GitHub Actions implements this through matrix strategies with a max-parallel: 1 constraint for sequential deployment, or without the constraint for parallel deployment to all regions simultaneously.

Multi-Region Deployment — Sequential Canary Region First 

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production
    strategy:
      max-parallel: 1                    # Sequential — one region at a time
      matrix:
        region:
          - eu-west-1                    # Canary region — low traffic, deployed first
          - us-east-1                    # Primary region
          - ap-southeast-1               # APAC region
    permissions:
      id-token: write
      contents: read

    steps:
      - uses: actions/checkout@v4

      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE }}
          aws-region: ${{ matrix.region }}     # OIDC token is region-scoped

      - name: Deploy to region
        run: |
          aws ecs update-service \
            --cluster myapp-production \
            --service api \
            --force-new-deployment \
            --region ${{ matrix.region }}
          aws ecs wait services-stable \
            --cluster myapp-production \
            --services api \
            --region ${{ matrix.region }}

      - name: Smoke test this region
        run: |
          ENDPOINT=$(aws ssm get-parameter \
            --name "/myapp/${{ matrix.region }}/endpoint" \
            --query "Parameter.Value" --output text)
          ./smoke-test.sh "$ENDPOINT"
          # If this fails, the matrix job fails and subsequent regions are skipped

What just happened?

The matrix deploys to three regions sequentially. EU West 1 goes first — a lower-traffic canary region. After the deployment stabilises and the smoke test passes, the matrix advances to US East 1, then APAC. If the smoke test fails in any region, the matrix job fails and the remaining regions are never deployed to. The max-parallel: 1 constraint ensures regions are not deployed concurrently, giving the monitoring system time to detect problems in each region before moving to the next.

Cost and Compliance in Cloud CI/CD

Cloud CI/CD pipelines consume compute resources that cost real money — and in unmanaged pipelines, costs accumulate invisibly. Runners that run unnecessarily long jobs, build caches that are never invalidated, Docker images that are rebuilt from scratch on every run because caching is misconfigured, and test suites that are not parallelised all translate directly to cloud spend. The practices that make pipelines faster — caching, parallelism, skipping unchanged services — also make them cheaper.

Compliance requirements add another dimension to cloud CI/CD architecture. Regulated industries — financial services, healthcare, government — often require audit trails for every deployment, separation of duties between the engineer who writes code and the person who approves its deployment, deployment windows that restrict when changes can reach production, and geographic restrictions on where data can be processed. These requirements are not incompatible with CI/CD — environment protection rules, manual approval gates, restricted deployment branches, and OIDC trust policies scoped to specific environments all support them — but they must be designed into the pipeline architecture from the beginning, not retrofitted after a compliance audit.

Warning: Storing Cloud Credentials as Long-Lived Secrets Is a Credential Rotation Dependency

An AWS access key stored in GitHub Secrets does not expire automatically. It must be rotated manually on a schedule — and that rotation must be coordinated across every repository and pipeline that uses it. When a key is compromised, every pipeline using it must be updated simultaneously. When a key expires because rotation was missed, every pipeline breaks simultaneously. OIDC eliminates this entire class of problem: there are no long-lived credentials to rotate, expire, or coordinate. If your pipelines still use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, migrating to OIDC is one of the highest-value, lowest-risk infrastructure improvements available — it typically takes less than an hour per pipeline to implement.

Key Takeaways from This Lesson

OIDC is the standard for cloud authentication from GitHub Actions — all three major providers support it, no long-lived credentials need to be stored, and trust policies can be scoped to specific repositories, branches, and environments.
Cloud-native services replace generic pipeline components where appropriate — ECR, ACR, and Artifact Registry offer tighter IAM integration and better performance than public registries for teams already invested in a cloud provider ecosystem.
Sequential multi-region rollout with a canary region reduces blast radius — deploying to the lowest-traffic region first, smoke testing, then advancing to primary regions limits how many users are affected if the new version has a regional issue.
Pipeline performance is cloud cost — every minute a runner runs unnecessarily is a billed minute. Caching, parallelism, and path filtering are not just engineering improvements — they are cost controls applied to cloud spending.
Compliance requirements are compatible with CI/CD — if designed in from the start — approval gates, restricted deployment branches, audit logging, and OIDC trust policies support regulated industry requirements without abandoning automation.

Teacher's Note

Check your cloud provider bills for the top five cost drivers in your CI/CD infrastructure — in most organisations, at least two of them are pipeline inefficiencies that could be eliminated with caching or parallelism rather than by scaling up runner capacity.

Practice Questions

Answer in your own words — then check against the expected answer.

1. What GitHub Actions matrix strategy configuration key — set to a value of 1 — constrains a multi-region deployment matrix to deploy one region at a time sequentially, ensuring each region's smoke test passes before the next region is deployed to?



2. What is the GCP-specific construct — configured through the Google Cloud console — that enables OIDC federation between GitHub Actions and GCP, allowing pipeline jobs to authenticate without storing service account keys in GitHub Secrets?



3. What is the name of the AWS managed container image registry service — tightly integrated with IAM and ECS/EKS — that teams deploying to AWS infrastructure typically use instead of Docker Hub to store and distribute their application images?



Lesson Quiz

1. A team's AWS access key in GitHub Secrets expired over a weekend, breaking three production pipelines simultaneously. A colleague proposes setting a 90-day rotation reminder. What is the more effective long-term solution and why?


2. A team deploys their application to three AWS regions. They want to minimise the blast radius if a deployment introduces a production bug. What multi-region deployment pattern achieves this?


3. A financial services company says their compliance requirements — manual deployment approval, separation of duties, and full audit trails — prevent them from adopting CI/CD. What is the accurate response?


Up Next · Lesson 38

CI/CD Best Practices

Every lesson in this course has covered a piece of the puzzle. Lesson 38 consolidates the most important principles into a single reference — the practices that separate good CI/CD from great CI/CD.

← Previous Course Index Next →