GitHub Actions OIDC to cloud providers
Definition
GitHub Actions OIDC (OpenID Connect) allows workflows to authenticate with cloud providers securely by using short-lived tokens instead of long-lived secrets. This integration leverages OIDC tokens to establish trust between GitHub and cloud providers, enabling secure access to cloud resources without embedding sensitive credentials in the repository. It enhances security by reducing the risk of secret exposure and simplifies credential management.
Secure Settings Example
name: Deploy to Cloud
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Authenticate to Cloud Provider
uses: cloud-provider/auth-action@v1
with:
oidc-token: ${{ secrets.OIDC_TOKEN }}
role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
- name: Deploy
run: |
cloud-cli deploy --project my-project --region us-central1
Insecure Settings Example
name: Deploy to Cloud
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Authenticate to Cloud Provider
env:
CLOUD_ACCESS_KEY: ${{ secrets.CLOUD_ACCESS_KEY }}
CLOUD_SECRET_KEY: ${{ secrets.CLOUD_SECRET_KEY }}
run: |
cloud-cli configure --access-key $CLOUD_ACCESS_KEY --secret-key $CLOUD_SECRET_KEY
- name: Deploy
run: |
cloud-cli deploy --project my-project --region us-central1