Actions: Secure cloud deployments with Open ID Connect

[github-product-roadmap]

Summary

Today, cloud deployments require developers to store cloud credentials as long-lived secrets in the GitHub secret store in their repository or organization. Going forward, GitHub Actions will support OpenID Connect (OIDC) for secure deploy to each cloud, which uses short-lived tokens that are automatically rotated for each deployment.

Intended Outcome

• With the new OpenID Connect (OIDC) support in GitHub Actions, you can author secure cloud deployment workflows without needing any cloud secrets stored in GitHub.
• OpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub
• Admins can use the security mechanisms of their cloud provider to ensure Action workflows have the minimal amount of access to cloud resources

How will it work?

1. Organization or repository admins set up OIDC trust between the GitHub ID provider and cloud roles in AWS, Azure, GCP, HashiCorp, or other cloud services.
2. Developers update their deployment workflows with the cloud provider's login action that uses OIDC to get cloud credentials and deploy.
3. When the deployment workflow is run, GitHub shares the OIDC claims (ID token) with the login action that presents these to the cloud provider.
4. The cloud provider validates the claims against the cloud role definition and provides an access token for deploying to the cloud for that specific workflow run.

Example JWT token generated in a Job that references the GitHub environment “prod” :

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "CEXhGNwUvSDQ4phdZe1TvR08EH0",
  "kid": "0845E118DC14BD20D0E2985D65ED53BD1D3C107D"
}
{
  "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558",          # Unique identifier for this token
  "iss": "https://token.actions.githubusercontent.com",   # Issuer/GH OIDP
  "aud": "https://github.com/bbq-beets"                   # Audience by default is org URL
  "sub": "repo:bbq-beets/oidc-test:environment:prod",     # Subject
  "ref": "refs/heads/main",                               # The branch or tag ref that triggered the workflow run                
  "sha": "f2a8b4085c774df56a53e95b440b34f3c7c18719",      # The commit SHA that triggered the workflow run.
  "repository": "actions/canary",                         # The owner and repository name.
  "repository_owner": "actions",                          # The repository owner's name
  "run_id": "1221423022",                                 # A unique number for each run within a repository. This number does not change if you re-run the workflow run
  "run_number": "13",                                     # A unique number for each run of a particular workflow in a repository. 
  "run_attempt":"1",                                      # A unique number for each attempt of a particular workflow run in a repository. 
  "actor": "Monalisa",                                    # The login of the user that initiated the workflow run.
  "workflow": "OIDC ID_Token",                            # The name of the workflow. If the workflow file doesn't specify a name, the value of this property is the full path of the workflow file in the repository.
  "head_ref": "",                                         # Source branch of the pull request in a workflow run
  "base_ref": "",                                         # Target branch of the pull request in a workflow run
  "event_name": "workflow_dispatch",                      # The name of the event that triggered the workflow run.
  "ref_type": "branch",                                   # The branch or tag ref that triggered the workflow run.
  "environment": "prod",                                  # Environment name specified in the workflow
  "job_workflow_ref":"bbq-beets/oidc-test/.github/workflows-lab/oidc_get_token.yml@refs/heads/main",      # git ref triggering the workflow
  "iat": 1585710286,                                      # Issued at
  "nbf": 1585798372,                                      # Not valid before
  "exp": 1585713886                                       # Expire at
# "ref_protected": "false"                                # this claim will soon be added to token 
 }

[Sid-ah]

https://github.blog/changelog/2021-10-27-github-actions-secure-cloud-deployments-with-openid-connect