member badge
Nagisa Kojima
As a secure way to trigger a pipeline as a specific person:
  • Users want to trigger a pipeline outside CircleCI
Currently personal API tokens are needed to trigger a pipeline through the API.
  • Asking each user to feed CircleCI token is not feasible; it heavily degrades system security.
  • Use of a token for a machine user is not ideal, because API calls will be authenticated as the machine user, making it impossible to distinguish who triggered which pipeline on CircleCI.
There is a need of consideration that inappropriate impersonation can happen; therefore accepting federated tokens is more favourable."