Security
ops0 is built for teams that manage production infrastructure. This page covers how we protect your data, credentials, and access.
Credential Handling
ops0 never stores long-lived cloud credentials.
How cloud authentication works
| Provider | Method | What ops0 holds |
|---|---|---|
| AWS | IAM Role with cross-account trust | Role ARN only — no access keys |
| GCP | Workload Identity Federation | Service account email + pool config — no key files |
| Azure | Service Principal with federated credentials | Client ID + tenant ID — no client secrets |
| Oracle Cloud | API Key | API key fingerprint + private key (encrypted at rest) |
When ops0 runs a plan or apply, it assumes the IAM role or exchanges an OIDC token — credentials exist only for the duration of the operation and are never written to disk or logs.
For AWS, GCP, and Azure, ops0 uses short-lived token exchange. You cannot accidentally leak access keys because ops0 does not store them.
Encryption
In transit
All communication between your browser, the ops0 platform, and your cloud providers uses TLS 1.3. Internal service-to-service traffic is also encrypted in transit.
At rest
| Data | Encryption |
|---|---|
| Database (PostgreSQL) | AES-256 |
| Terraform state files | AES-256 with provider-managed keys |
| Secrets stored in ops0 | AES-256, envelope-encrypted with a per-org key |
| Audit logs | AES-256 |
| Oracle Cloud API keys | AES-256 |
Terraform state
ops0 stores Terraform state in the backend you configure (S3, Azure Blob, GCS). State files never transit through ops0 servers — the IaC runner reads and writes directly to your configured bucket using the assumed role.
Network Architecture
Hive Agent (Kubernetes)
The Hive agent deployed into your cluster uses outbound-only WebSocket connections to the ops0 control plane. No inbound ports are opened on your cluster. The agent:
- Sends observability data, events, and log streams outbound
- Receives instructions (kubectl commands, helm operations) over the same persistent connection
- Does not store credentials locally
- Runs with a minimal RBAC service account scoped to read operations
IaC Execution
Terraform plan and apply runs execute inside ops0's isolated execution environment:
- Each run gets an ephemeral execution context
- No persistent storage between runs
- Network access is limited to your configured cloud provider endpoints
- All execution logs are captured and associated with the deployment record
Access Control
Organization-level RBAC
ops0 uses fine-grained access control via OpenFGA (an open-source authorization engine). Every action — viewing a project, triggering a deployment, reading a secret — is an explicit permission check.
| Role | What they can do |
|---|---|
| Owner | Full access including billing and organization settings |
| Admin | Manage users, integrations, and all projects |
| Developer | Create and deploy projects; cannot manage org settings |
| Viewer | Read-only access to projects and deployments |
Custom roles are available on Enterprise plans.
SSO and Identity
- Google Workspace — one-click setup
- Microsoft Entra ID — one-click setup
- Custom OIDC — Okta, Auth0, or any OIDC provider
- SAML 2.0 — available on Enterprise plans
- SSO-only mode — disable email/password login for the entire organization
API Keys
API keys are scoped to an organization and can be restricted to specific operations. Keys are:
- Shown only once at creation
- Stored as bcrypt hashes — ops0 cannot recover a lost key
- Revocable at any time from Settings → API Configuration
Audit Logging
Every action in ops0 is logged:
| Event category | Examples |
|---|---|
| Authentication | Login, logout, SSO, failed attempts |
| Infrastructure | Plan triggered, apply completed, destroy initiated |
| Access changes | User invited, role changed, SSO configured |
| Credentials | Integration added, integration removed, secret accessed |
| Admin actions | Organization settings changed, billing updated |
Audit logs include: timestamp, actor (user ID + email), IP address, action, resource affected, and outcome.
Logs are retained for 90 days on standard plans and 1 year on Enterprise plans. Logs can be exported or streamed to your SIEM via the Alerts integration.
Secrets Management
Secrets stored in ops0 (Settings → Sensitive Data) are:
- Encrypted with AES-256 before being written to the database
- Envelope-encrypted: the data key is itself encrypted with a per-organization master key
- Only decrypted at execution time, inside the isolated execution environment
- Never logged or included in plan output
Terraform state files can contain resource attribute values, including generated passwords and keys. Ensure your state backend (S3, GCS, Azure Blob) has appropriate access controls and encryption enabled.
Vulnerability Scanning
ops0 automatically scans IaC code for security misconfigurations during the plan phase using Checkov:
- Findings are categorized by severity (Critical, High, Medium, Low)
- Each finding links to remediation guidance
- Policies can block deployment if critical findings are present
- Scan results are stored with each deployment record
Responsible Disclosure
If you discover a security vulnerability in ops0, please report it to security@ops0.ai. We follow coordinated disclosure and aim to respond within 48 hours.
Do not disclose vulnerabilities publicly before we have had a chance to address them.
Related
- IAM Settings — manage users and roles
- Audit Logs — view and export activity logs
- Sensitive Data — manage secrets
- Authentication — configure SSO