Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Actions: Secure cloud deployments with Open ID Connect #249

Closed
github-product-roadmap opened this issue Sep 8, 2021 · 1 comment
Closed
Labels
actions Feature: GitHub Actions all Product SKU: All beta Feature phase: Beta shipped Shipped

Comments

@github-product-roadmap
Copy link
Collaborator

github-product-roadmap commented Sep 8, 2021

Summary

Today, cloud deployments require developers to store cloud credentials as long-lived secrets in the GitHub secret store in their repository or organization. Going forward, GitHub Actions will support OpenID Connect (OIDC) for secure deploy to each cloud, which uses short-lived tokens that are automatically rotated for each deployment.

Intended Outcome

  • With the new OpenID Connect (OIDC) support in GitHub Actions, you can author secure cloud deployment workflows without needing any cloud secrets stored in GitHub.
  • OpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub
  • Admins can use the security mechanisms of their cloud provider to ensure Action workflows have the minimal amount of access to cloud resources

How will it work?

image

  1. Organization or repository admins set up OIDC trust between the GitHub ID provider and cloud roles in AWS, Azure, GCP, HashiCorp, or other cloud services.
  2. Developers update their deployment workflows with the cloud provider's login action that uses OIDC to get cloud credentials and deploy.
  3. When the deployment workflow is run, GitHub shares the OIDC claims (ID token) with the login action that presents these to the cloud provider.
  4. The cloud provider validates the claims against the cloud role definition and provides an access token for deploying to the cloud for that specific workflow run.

Example JWT token generated in a Job that references the GitHub environment “prod” :

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "CEXhGNwUvSDQ4phdZe1TvR08EH0",
  "kid": "0845E118DC14BD20D0E2985D65ED53BD1D3C107D"
}
{
  "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558",          # Unique identifier for this token
  "iss": "https://token.actions.githubusercontent.com",   # Issuer/GH OIDP
  "aud": "https://github.com/bbq-beets"                   # Audience by default is org URL
  "sub": "repo:bbq-beets/oidc-test:environment:prod",     # Subject
  "ref": "refs/heads/main",                               # The branch or tag ref that triggered the workflow run                
  "sha": "f2a8b4085c774df56a53e95b440b34f3c7c18719",      # The commit SHA that triggered the workflow run.
  "repository": "actions/canary",                         # The owner and repository name.
  "repository_owner": "actions",                          # The repository owner's name
  "run_id": "1221423022",                                 # A unique number for each run within a repository. This number does not change if you re-run the workflow run
  "run_number": "13",                                     # A unique number for each run of a particular workflow in a repository. 
  "run_attempt":"1",                                      # A unique number for each attempt of a particular workflow run in a repository. 
  "actor": "Monalisa",                                    # The login of the user that initiated the workflow run.
  "workflow": "OIDC ID_Token",                            # The name of the workflow. If the workflow file doesn't specify a name, the value of this property is the full path of the workflow file in the repository.
  "head_ref": "",                                         # Source branch of the pull request in a workflow run
  "base_ref": "",                                         # Target branch of the pull request in a workflow run
  "event_name": "workflow_dispatch",                      # The name of the event that triggered the workflow run.
  "ref_type": "branch",                                   # The branch or tag ref that triggered the workflow run.
  "environment": "prod",                                  # Environment name specified in the workflow
  "job_workflow_ref":"bbq-beets/oidc-test/.github/workflows-lab/oidc_get_token.yml@refs/heads/main",      # git ref triggering the workflow
  "iat": 1585710286,                                      # Issued at
  "nbf": 1585798372,                                      # Not valid before
  "exp": 1585713886                                       # Expire at
# "ref_protected": "false"                                # this claim will soon be added to token 
 }
@github github locked and limited conversation to collaborators Sep 8, 2021
@github-product-roadmap github-product-roadmap added actions Feature: GitHub Actions all Product SKU: All code-to-cloud ga Feature phase: Generally available labels Sep 8, 2021
@Sid-ah Sid-ah added beta Feature phase: Beta and removed ga Feature phase: Generally available labels Sep 9, 2021
@Sid-ah
Copy link
Contributor

Sid-ah commented Oct 28, 2021

@Sid-ah Sid-ah closed this as completed Oct 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
actions Feature: GitHub Actions all Product SKU: All beta Feature phase: Beta shipped Shipped
Projects
Archived in project
Development

No branches or pull requests

2 participants