Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document id-token permission #14626

Closed
1 task done
danielcompton opened this issue Jan 25, 2022 · 18 comments · Fixed by #14998
Closed
1 task done

Document id-token permission #14626

danielcompton opened this issue Jan 25, 2022 · 18 comments · Fixed by #14998
Assignees
@martin389
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team waiting for review Issue/PR is waiting for a writer's review
Projects
Docs open source board

Comments

@danielcompton
Copy link
Contributor

danielcompton commented Jan 25, 2022
edited
Loading

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/security-guides/automatic-token-authentication

What part(s) of the article would you like to see updated?

I'm looking into setting up OIDC authentication with GitHub Actions and am wanting to understand how the id-token permission works. I couldn't find much documentation about it, other than documentation saying to set it to write, e.g. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings.

The automatic token authentication article talks about id-token and that the "Maximum access by forked repos" is read. What does it mean to have read access to the id-token? What is the minimum permissions needed to use OIDC?

Specifically, can a PR opened by Dependabot obtain OIDC credentials?

Additional information

No response
@danielcompton danielcompton added the content This issue or pull request belongs to the Docs Content team label Jan 25, 2022
@welcome
Copy link

welcome bot commented Jan 25, 2022

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Jan 25, 2022
@github-actions github-actions bot added this to Triage in Docs open source board Jan 25, 2022
@ramyaparimi ramyaparimi added actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Jan 25, 2022
@ramyaparimi
Copy link
Contributor

@danielcompton
Thanks so much for opening an issue! I'll triage this for the team to take a look 👀

@N-Usha
Copy link
Contributor

N-Usha commented Feb 3, 2022

To generate an OIDC id-token from a GitHub workflow it requires write permissions on id-token bit. When we add this permission to workflow it will set the following two env variables (url and token) in runner machine, which will be used by Actions/scripts to generate id token:
ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN

Thanks @danielcompton for reporting this. We will add the above context to our docs to make this more clear.

@danielcompton
Copy link
Contributor Author

Thanks @N-Usha! What does it mean to have id-token: read then?

@martin389 martin389 self-assigned this Feb 3, 2022
@N-Usha
Copy link
Contributor

N-Usha commented Feb 3, 2022
edited
Loading

It just means that OIDC tokens cant be generated in that workflow. And we made that as the default as we wanted to make OIDC an opt-in feature where workflows which need OIDC to get used for authentication purposes need to explicitly set the bit to write to use the feature within a Job or across all Jobs within the workflow run.

@martin389 martin389 mentioned this issue Feb 3, 2022
Merged
5 tasks
@danielcompton
Copy link
Contributor Author

Thanks for the clarification. Sorry to belabour the point, but what is the difference then between id-token: read and id-token: none?

Docs open source board automation moved this from Triage to Done Feb 4, 2022
@danielcompton
Copy link
Contributor Author

Thanks @lucascosti, it's still not clear to me what the difference is between id-token: read and id-token: none? Are you able to help clarify that?

@lucascosti
Copy link
Contributor

Thanks @lucascosti, it's still not clear to me what the difference is between id-token: read and id-token: none? Are you able to help clarify that?

Sorry, @danielcompton; I have a guess, but rather than potentially give out the wrong info, I'll let @N-Usha clarify 🙂

@danielcompton
Copy link
Contributor Author

@N-Usha would you be able to help clarify what the difference is between id-token: read and id-token: none?

@danielcompton
Copy link
Contributor Author

@N-Usha are you able to help with this? I'm still not sure what the security differences are between a workflow having id-token: read and id-token: none.

@N-Usha
Copy link
Contributor

N-Usha commented Feb 22, 2022

Apologies for delayed response on this.

@danielcompton - There is no difference between a workflow having id-token: read and id-token: none.
We have clarified this in docs recently:

The job or workflow run requires a permissions setting with id-token: write. You won't be able to request the OIDC JWT ID token if the permissions setting for id-token is set to read or none.

Please confirm if that clarifies your query. Thanks

@danielcompton
Copy link
Contributor Author

Thanks @N-Usha that's exactly what I was after!

@CHANDRAMA2

This comment was marked as spam.

Sign in to view
@jmandel
Copy link

jmandel commented Mar 16, 2023

This is a closed issue, but I'm struggling to understand what the word "write" means here. Why is the permission called "write"? Is something being written? If so, what and by whom? Or is the permission called "write" for some other reason (e.g., something historical, referential, or arcane)? It'd be great to explain this just a tiny bit more.

@ssbarnea
Copy link
Contributor

I am quire curious how it comes that this is closed when this tag has zero documentation.

@omus omus mentioned this issue Jun 8, 2023
Open
@dongrentianyu dongrentianyu mentioned this issue Jun 10, 2023
Merged
@cmwilson21
Copy link
Contributor

@ssbarnea @jmandel - 👋 Hey there! Would either of you mind opening a new issue detailing your request? With a fresh issue, we can take it through the review process.

Thank you! ✨

@jmandel jmandel mentioned this issue Jun 13, 2023
Closed
1 task
@jmandel
Copy link

jmandel commented Jun 13, 2023

#25952

@rickstaa rickstaa mentioned this issue Jul 2, 2023
Merged
@vincerubinetti
Copy link

Fwiw I couldn't even figure out that this permission scope had something to do with OIDC. Had to google it and find this issue.

This was referenced Apr 1, 2024
Open
Closed
@cmaster11 cmaster11 mentioned this issue Jun 13, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martin389 martin389

Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team waiting for review Issue/PR is waiting for a writer's review
Projects
No open projects
Docs open source board
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

OIDC - Adding permissions settings github/docs
11 participants
@ssbarnea @jmandel @danielcompton @lucascosti @vincerubinetti @N-Usha @ramyaparimi @martin389 @cmwilson21 @CHANDRAMA2 and others