Skip to content
IdentrailIDENTRAIL
LoginBook Demo

Machine identity trust graph

Every machine identity path, clear to you.

Identrail traces how AWS IAM roles, Kubernetes service accounts, GitHub Actions, and OIDC claims can reach sensitive resources, then packages the proof and safest first fix for the owner.

Start Free Risk Scan
LiveGitHub starsLiveDocker pulls
Collection
Read-only by default
Coverage
AWS, K8s, GitHub, OIDC
Output
Evidence and first fix
  • Open-core under Apache-2.0
  • Read-only onboarding model
  • Self-hosted and hosted paths
  • Public docs and release history
AWS IAM liveEvidence ready

Production workspace / AWS IAM

AssumeRole path detected
Critical path
Source identityGitHub Actions OIDCpayments-api / deploy-production.yml
Privilege boundaryAWS IAM role: billing-prodBoundary allows shared namespace assumption
Target resourcePostgreSQL billing ledgerprod-billing / read-write eligible path
Owner-ready fixRestrict `sub` and namespace tagsSimulation reports no workload breakage
GitHub Actions OIDCAWS IAM IdPbilling-prod rolePostgreSQL ledger
  1. 01
    GitHub Actions OIDC token verifiedrepo: payments-api / deploy-production.yml
    Verified
  2. 02
    AssumeRole path detectedsts:AssumeRole reaches billing-prod in 4 hops
    Active
  3. 03
    Privilege boundary inheritedaws:PrincipalTag condition allows broad namespace reuse
    Review
  4. 04
    Evidence packet assembledJWT claims, trust policy, and API call proof attached
    Ready

Reviewed across your identity stack

  • AWS IAM
  • Kubernetes
  • GitHub
  • OpenID
  • Terraform
  • Docker
  • PostgreSQL
  • Prometheus

Why teams miss machine identity risk

Signals only matter when they reveal the path.

IAM policies, Kubernetes RBAC, repository exposure, and OIDC workflow identities are reviewed in separate tools. Identrail connects them into one trust path, then shows the proof, blast radius, and safest first fix.

AWS IAMrole assumptions and policy edges
Kubernetesservice accounts, RBAC, namespaces
GitHub/OIDCworkflow identity and token claims

Identrail trust graph

One connected machine identity path
Evidence packetBlast radiusFirst safe fix
01Before

Isolated alerts

Each control plane looks acceptable until the machine identity path crosses boundaries.

02During

Evidence stitching

Read-only collection joins IAM, Kubernetes, repository, and OIDC proof into one chain.

03After

Safe remediation

Owners get the affected workload, blast-radius context, and the first low-risk fix.

Trust operations layer

A premium control room for machine identity risk.

Identrail gives security and platform teams the same operating picture: live trust paths, policy evidence, blast-radius context, and a practical next step for each owner.

Exposure triage

Turn scattered identity signals into one owner-ready queue.

High confidence
Primary risk pathProduction database reachable
Signal matchAWS role + K8s service account + OIDC claim drift

Evidence

  • Trust policy allows broad workflow subject claims
  • ClusterRoleBinding grants namespace-spanning workload access
  • Reachable resource is tagged production and regulated

Operator playbook

  1. Confirm owner
  2. Review evidence bundle
  3. Prioritize first fix

Product tour

From connector setup to evidence-ready remediation.

Connect read-only sources, trace the path to sensitive resources, test the safest fix, and hand owners one evidence packet they can act on.

01
Connector scope

Connect read-only sources

Validate AWS IAM, Kubernetes, GitHub Actions, and OIDC claims without write permissions.

02
Reachable path

Trace reachable risk paths

Show the identity, workload, role, and resource in one chain with severity context.

03
Policy simulation

Simulate the first safe fix

Preview trust-policy and RBAC edits before anything touches production.

04
Evidence packet

Export the evidence packet

Package the source proof, owner note, policy diff, and residual risk for review.

Production workspace

Owner-ready risk path

Evidence ready

Reachable path

GitHub workflow can reach billing data through AWS role trust.

High
IdentityGitHub Actions OIDC
PrivilegeAWS IAM role: billing-prod
Workloadpayments-api namespace
ResourcePostgreSQL billing ledger

Safe fix simulation

Restrict subject claim and namespace tags
- sub = "*"+ sub = "repo:payments-api:prod"+ namespace = "payments-api"

Evidence packet

Ready for owner review
  • Source proof
  • Policy diff
  • Affected workload
  • Owner timeline

Operational Workflow

From read-only discovery to safe enforcement

Each stage produces a concrete artifact security and platform teams can review before taking action.

  1. 01 / Discover

    Build the trust graph

    Collect AWS IAM, Kubernetes, GitHub, and OIDC identity metadata in read-only mode.

    Output: identity graph snapshot with source evidence links

  2. 02 / Prioritize

    Rank reachable risk paths

    Score findings by severity, privilege depth, and production blast-radius potential.

    Output: ranked findings queue with owner-ready context

  3. 03 / Simulate

    Preview hardening safely

    Preview trust-policy changes and estimate affected workloads before enforcement.

    Output: remediation plan with expected impact summary

  4. 04 / Operate

    Roll out with controls

    Deploy in stages with rollback options and track resolution outcomes.

    Output: audit-ready remediation timeline and status history

Adoption Paths

Choose the deployment model that fits your operating constraints.

Open Source

Best for: self-hosted evaluation and internal control.

Time to value
Same day with Docker/Kubernetes setup
Control level
Full infrastructure and data ownership
Support model
Community and docs-led
View open-source setup →

Hosted SaaS

Best for: fastest onboarding and operational simplicity.

Time to value
Minutes to first trust-path scan
Control level
Managed platform with guided rollout
Support model
Product support and assisted onboarding

Recommended for teams that need the fastest first scan.

Enterprise

Best for: private tenancy, procurement, and compliance control.

Time to value
Planned onboarding with architecture review
Control level
Private deployment and regional controls
Support model
Enterprise SLA and named partner team
Contact enterprise team →
Compare plan details

Comparison

Why teams choose Identrail over closed black-box workflows

Compare on explainability, rollout safety, and day-two operability.

CategoryIdentrailTypical closed alternatives
Trust-path explainabilityShows full identity chain with policy evidence and affected resourcesOften returns abstract risk findings without chain-level context
Rollout safetyRead-only collection, simulation-first remediation, staged enforcementPolicy hardening usually relies on external tooling and manual checks
Open-core transparencyPublic repository, documentation, and release historyLimited implementation visibility and slower verification by engineers
Developer and platform fitBuilt for security + platform collaboration with inspectable outputsSecurity-only workflows can be harder for platform teams to operationalize

Ready to evaluate

Map your first production trust path in minutes

Start with a read-only scan, review evidence, then decide whether to self-host, use hosted SaaS, or move to enterprise deployment.

Start Free Risk ScanNeed enterprise procurement? Contact Sales →