Skip to content
/ actions-oidc-gateway-example Public

Example of using Actions OIDC token to proxy into a private network

License

MIT license
82 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

github/actions-oidc-gateway-example

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
.github
.github
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
oidc_gateway.go
oidc_gateway.go
 
 
oidc_gateway_test.go
oidc_gateway_test.go
 
 

Repository files navigation

actions-oidc-gateway-example

Run CI

Have you ever wanted to connect to a private network from a GitHub-hosted Actions runner?

This gateway is a reference implementation of how to authorize traffic from Actions into your private network, either as an API gateway or as an HTTP CONNECT proxy tunnel.

It is not intended to be used as-is.

At a minimum, you'd want to customize the claim check for your use case (see Configuring the OIDC trust with the cloud for examples as to what's possible here). The default configuration only allows Actions from the repo octo-org/octo-repo.

Then, if you're using this as an API gateway, you probably want to customize the existing /apiExample handler (unless you really need proxied acccess to the Bing homepage?) You could add additional handlers, and even customize the claim checking per handler if you'd like.

Lastly, you are responsible for deploying this gateway in a secure way with access to your private network. There's lots of different options here, but you probably want this gateway to be behind a load balancer that speaks TLS, with scoped network access to the private services it provides access to. That will probably look something like this:

flowchart LR
    Runner-->|Actions OIDC Token| LB
    subgraph GitHub Actions
    Runner[Runner]
    end
    subgraph Private Network
    LB[Load Balancer]
    LB-->G1[This Gateway]
    LB-->G2[This Gateway]
    G1-->PS[Private Service]
    end
Loading

How would I use this?

Once you customize and deploy your gateway, you can configure your Actions workflow to make use of it:

...

jobs:
  your_job_name:
    ...
    permissions:
      id-token: write
    steps:
      ...

      - name: Get OIDC token and set OIDC_TOKEN environment variable
        run: |
          echo "OIDC_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://ActionsOIDCGateway" | jq -r ".value")"  >> $GITHUB_ENV
          echo "::add-mask::$OIDC_TOKEN"

      - name: Example of using gateway as a proxy
        run: |
          curl -v -p --proxy-header "Gateway-Authorization: ${{ env.OIDC_TOKEN }}" -x https://your-load-balancer.example.com https://www.google.com

      - name: Example of an API gateway
        run: |
          curl -v -H "Gateway-Authorization: ${{ env.OIDC_TOKEN }}" https://your-load-balancer.example.com/apiExample

    ...

About

Example of using Actions OIDC token to proxy into a private network

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

82 stars

Watchers

136 watching

Forks

16 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages