You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, cloud deployments require developers to store cloud credentials as long-lived secrets in the GitHub secret store in their repository or organization. Going forward, GitHub Actions will support OpenID Connect (OIDC) for secure deploy to each cloud, which uses short-lived tokens that are automatically rotated for each deployment.
Intended Outcome
With the new OpenID Connect (OIDC) support in GitHub Actions, you can author secure cloud deployment workflows without needing any cloud secrets stored in GitHub.
OpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub
Admins can use the security mechanisms of their cloud provider to ensure Action workflows have the minimal amount of access to cloud resources
How will it work?
Organization or repository admins set up OIDC trust between the GitHub ID provider and cloud roles in AWS, Azure, GCP, HashiCorp, or other cloud services.
Developers update their deployment workflows with the cloud provider's login action that uses OIDC to get cloud credentials and deploy.
When the deployment workflow is run, GitHub shares the OIDC claims (ID token) with the login action that presents these to the cloud provider.
The cloud provider validates the claims against the cloud role definition and provides an access token for deploying to the cloud for that specific workflow run.
Example JWT token generated in a Job that references the GitHub environment “prod” :
{
"typ": "JWT",
"alg": "RS256",
"x5t": "CEXhGNwUvSDQ4phdZe1TvR08EH0",
"kid": "0845E118DC14BD20D0E2985D65ED53BD1D3C107D"
}
{
"jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", # Unique identifier for this token
"iss": "https://token.actions.githubusercontent.com", # Issuer/GH OIDP
"aud": "https://github.com/bbq-beets" # Audience by default is org URL
"sub": "repo:bbq-beets/oidc-test:environment:prod", # Subject
"ref": "refs/heads/main", # The branch or tag ref that triggered the workflow run
"sha": "f2a8b4085c774df56a53e95b440b34f3c7c18719", # The commit SHA that triggered the workflow run.
"repository": "actions/canary", # The owner and repository name.
"repository_owner": "actions", # The repository owner's name
"run_id": "1221423022", # A unique number for each run within a repository. This number does not change if you re-run the workflow run
"run_number": "13", # A unique number for each run of a particular workflow in a repository.
"run_attempt":"1", # A unique number for each attempt of a particular workflow run in a repository.
"actor": "Monalisa", # The login of the user that initiated the workflow run.
"workflow": "OIDC ID_Token", # The name of the workflow. If the workflow file doesn't specify a name, the value of this property is the full path of the workflow file in the repository.
"head_ref": "", # Source branch of the pull request in a workflow run
"base_ref": "", # Target branch of the pull request in a workflow run
"event_name": "workflow_dispatch", # The name of the event that triggered the workflow run.
"ref_type": "branch", # The branch or tag ref that triggered the workflow run.
"environment": "prod", # Environment name specified in the workflow
"job_workflow_ref":"bbq-beets/oidc-test/.github/workflows-lab/oidc_get_token.yml@refs/heads/main", # git ref triggering the workflow
"iat": 1585710286, # Issued at
"nbf": 1585798372, # Not valid before
"exp": 1585713886 # Expire at
# "ref_protected": "false" # this claim will soon be added to token
}
The text was updated successfully, but these errors were encountered:
Summary
Today, cloud deployments require developers to store cloud credentials as long-lived secrets in the GitHub secret store in their repository or organization. Going forward, GitHub Actions will support OpenID Connect (OIDC) for secure deploy to each cloud, which uses short-lived tokens that are automatically rotated for each deployment.
Intended Outcome
How will it work?
Example JWT token generated in a Job that references the GitHub environment “prod” :
The text was updated successfully, but these errors were encountered: