|
| 1 | +--- |
| 2 | +title: Configuring OpenID Connect in Alibaba Cloud |
| 3 | +shortTitle: OpenID Connect in Alibaba Cloud |
| 4 | +intro: Use OpenID Connect within your workflows to authenticate with Alibaba Cloud. |
| 5 | +versions: |
| 6 | + fpt: '*' |
| 7 | + ghec: '*' |
| 8 | + ghes: '*' |
| 9 | +type: tutorial |
| 10 | +topics: |
| 11 | + - Security |
| 12 | +--- |
| 13 | + |
| 14 | +{% data reusables.actions.enterprise-github-hosted-runners %} |
| 15 | + |
| 16 | +## Overview |
| 17 | + |
| 18 | +OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to access resources in Alibaba Cloud, without needing to store the Alibaba Cloud credentials as long-lived {% data variables.product.prodname_dotcom %} secrets. |
| 19 | + |
| 20 | +This guide explains how to configure Alibaba Cloud to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a routine that uses tokens to authenticate to Alibaba Cloud and access resources. |
| 21 | + |
| 22 | +## Prerequisites |
| 23 | + |
| 24 | +{% data reusables.actions.oidc-link-to-intro %} |
| 25 | + |
| 26 | +{% data reusables.actions.oidc-security-notice %} |
| 27 | + |
| 28 | +{% ifversion ghes %} |
| 29 | +{% data reusables.actions.oidc-endpoints %} |
| 30 | +{% endif %} |
| 31 | + |
| 32 | +## Adding the OIDC provider to Alibaba Cloud |
| 33 | + |
| 34 | +To add the {% data variables.product.prodname_dotcom %} OIDC provider to RAM, see the [Alibaba Cloud documentation](https://www.alibabacloud.com/help/en/ram/user-guide/manage-an-oidc-idp). |
| 35 | + |
| 36 | +- For the provider URL: Use {% ifversion ghes %}`https://HOSTNAME/_services/token`{% else %}`https://token.actions.githubusercontent.com`{% endif %}. |
| 37 | +- For the client ID: Any value is allowed, we recommend using `sts.aliyuncs.com` or `sts.${REGION_ID}.aliyuncs.com`. |
| 38 | + |
| 39 | +### Configuring the role and trust policy |
| 40 | + |
| 41 | +To configure the role and trust in RAM, see step 2 and step 3 in the Alibaba Cloud documentation "[Implement OIDC-based SSO from Okta](https://www.alibabacloud.com/help/en/ram/user-guide/implement-oidc-based-sso-from-okta)". |
| 42 | + |
| 43 | +{% note %} |
| 44 | + |
| 45 | +We recommend users to configure`oidc:sub` condition key to restrict the subject of the ID Token, with this condition key in the role trust policy, you can limit which {% data variables.product.prodname_dotcom %} actions are trusted to assume the role. Although it's optional, reducing authorization granularity can make your access more secure and controllable. |
| 46 | + |
| 47 | +{% endnote %} |
| 48 | + |
| 49 | +If you configure the role with Alibaba Cloud RAM console, `oidc:sub` condition key is added in the form by default, you can configure its value directly. Or if you need more advanced access control capabilities, you can edit the trust policy yourself. |
| 50 | + |
| 51 | +Here is a basic example of allowing access to only specified branch. |
| 52 | + |
| 53 | +```json |
| 54 | +"Condition": { |
| 55 | + "StringEquals": { |
| 56 | + "oidc:aud": [ |
| 57 | + "sts.aliyuncs.com" |
| 58 | + ], |
| 59 | + "oidc:iss": "{% ifversion ghes %}HOSTNAME/_services/token{% else %}token.actions.githubusercontent.com{% endif %}", |
| 60 | + "oidc:sub": "repo:example/example-repo:ref:refs/heads/main" |
| 61 | + } |
| 62 | +} |
| 63 | +``` |
| 64 | + |
| 65 | +If you use a workflow with an environment, the `oidc:sub` field must reference the environment name: `repo:example/example-repo:environment:NAME`. For more information, see "[AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)." |
| 66 | + |
| 67 | +For example, the following condition only allows access when the environment is set to `Production`. |
| 68 | + |
| 69 | +```json |
| 70 | +"Condition": { |
| 71 | + "StringEquals": { |
| 72 | + "oidc:aud": [ |
| 73 | + "sts.aliyuncs.com" |
| 74 | + ], |
| 75 | + "oidc:iss": "{% ifversion ghes %}HOSTNAME/_services/token{% else %}token.actions.githubusercontent.com{% endif %}", |
| 76 | + "oidc:sub": "repo:example/example-repo:environment:Production" |
| 77 | + } |
| 78 | +} |
| 79 | +``` |
| 80 | + |
| 81 | +You can also use `StringLike` and wildcard operator(`*`) for more flexibility. Here is an example to allow any branch, pull request merge branch, or environment from the specific repository to assume a role. |
| 82 | + |
| 83 | +```json |
| 84 | +"Condition": { |
| 85 | + "StringLike": { |
| 86 | + "oidc:sub": "repo:example/example-repo:*" |
| 87 | + }, |
| 88 | + "StringEquals": { |
| 89 | + "oidc:aud": [ |
| 90 | + "sts.aliyuncs.com" |
| 91 | + ], |
| 92 | + "oidc:iss": "{% ifversion ghes %}HOSTNAME/_services/token{% else %}token.actions.githubusercontent.com{% endif %}" |
| 93 | + } |
| 94 | +} |
| 95 | +``` |
| 96 | + |
| 97 | +## Updating your {% data variables.product.prodname_actions %} workflow |
| 98 | + |
| 99 | +To update your workflows for OIDC, you will need to make two changes to your YAML: |
| 100 | + |
| 101 | +1. Add permissions settings for the token. |
| 102 | +2. Use the [`aliyun/configure-aliyun-credentials-action`](https://github.com/aliyun/configure-aliyun-credentials-action) action to exchange the OIDC token (JWT) for a cloud access token. |
| 103 | + |
| 104 | +### Adding permissions settings |
| 105 | + |
| 106 | + {% data reusables.actions.oidc-permissions-token %} |
| 107 | + |
| 108 | +### Requesting the access token |
| 109 | + |
| 110 | +The `aliyun/configure-aliyun-credentials-action` action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from Alibaba Cloud. For more information, see [GitHub - aliyun/configure-aliyun-credentials-action: Configure Alibaba Cloud Credentials for GitHub Actions](https://github.com/aliyun/configure-aliyun-credentials-action). |
| 111 | + |
| 112 | +The following workflow is an example for accessing Alibaba Cloud services. You can replace the following parameters with your own values. |
| 113 | + |
| 114 | +- `<oidc-provider-arn>`: Replace with your Alibaba Cloud provider arn. |
| 115 | +- `<role-to-assume>`: Replace with your Alibaba Cloud role arn. |
| 116 | + |
| 117 | +{% raw %} |
| 118 | + |
| 119 | +```yaml copy |
| 120 | +name: Alibaba Cloud example workflow |
| 121 | +on: [push] |
| 122 | + |
| 123 | +permissions: |
| 124 | + id-token: write # Required for requesting the JWT |
| 125 | + contents: read # Required for actions/checkout |
| 126 | + |
| 127 | +env: |
| 128 | + REGION_ID : "cn-hangzhou" |
| 129 | + |
| 130 | +jobs: |
| 131 | + build-and-deploy: |
| 132 | + runs-on: ubuntu-latest |
| 133 | + steps: |
| 134 | + - name: 'Configure credentials' |
| 135 | + uses: aliyun/configure-aliyun-credentials-action@v1 |
| 136 | + with: |
| 137 | + role-to-assume: 'acs:ram::1464366*********:role/github-actions' |
| 138 | + oidc-provider-arn: 'acs:ram::1464366*********:oidc-provider/github' |
| 139 | + - name: 'Set up aliyun CLI' |
| 140 | + uses: aliyun/setup-aliyun-cli-action@v1 |
| 141 | + - name: 'Run aliyun CLI' |
| 142 | + run: | |
| 143 | + aliyun sts GetCallerIdentity --region cn-hangzhou |
| 144 | +``` |
| 145 | +
|
| 146 | +{% endraw %} |
| 147 | +
|
| 148 | +## Further reading |
| 149 | +
|
| 150 | +{% data reusables.actions.oidc-further-reading %} |
0 commit comments