GitHub Actions: OpenID Connect

Table of Contents

OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.

External Resources »
GitHub Actions official Documentation	GitHub Actions Marketplace	GitHub.com

Benefits of using OIDC #

By updating your workflows to use OIDC tokens, you can adopt the following good security practices:

No cloud secrets: You won’t need to duplicate your cloud credentials as long-lived GitHub secrets. Instead, you can configure the OIDC trust on your cloud provider, and then update your workflows to request a short-lived access token from the cloud provider through OIDC.
Authentication and authorization management: You have more granular control over how workflows can use credentials, using your cloud provider’s authentication (authN) and authorization (authZ) tools to control access to cloud resources.
Rotating credentials: With OIDC, your cloud provider issues a short-lived access token that is only valid for a single job, and then automatically expires.

How OIDC integrates with GitHub Actions #

The following diagram gives an overview of how GitHub’s OIDC provider integrates with your workflows and cloud provider:

sequenceDiagram participant GitHub Actions Workflow participant GitHub OIDC Provider participant Cloud Provider participant Cloud Resources GitHub Actions Workflow->>GitHub OIDC Provider: Request OIDC Token GitHub OIDC Provider-->>GitHub Actions Workflow: Return JWT (OIDC Token) GitHub Actions Workflow->>Cloud Provider: Send JWT + Cloud Role ID Cloud Provider->>Cloud Provider: Validate JWT via OIDC Trust Cloud Provider-->>GitHub Actions Workflow: Return Access Token GitHub Actions Workflow->>Cloud Resources: Use Access Token to access resources

You establish an OIDC trust relationship in the cloud provider, allowing specific GitHub workflows to request cloud access tokens on behalf of a defined cloud role.
Every time your job runs, GitHub’s OIDC provider auto-generates an OIDC token. This token contains multiple claims to establish a security-hardened and verifiable identity about the specific workflow that is trying to authenticate.
A step or action in the workflow job can request a token from GitHub’s OIDC provider, which can then be presented to the cloud provider as proof of the workflow’s identity.
Once the cloud provider successfully validates the claims presented in the token, it then provides a short-lived cloud access token that is available only for the duration of the job.

Source: https://docs.github.com/en/actions/concepts/security/openid-connect

Using OpenID Connect with GitHub Actions ensures that credentials are being requested dynamically by GitHub Actions and are not hardcoded. Those credentials are restricted to actions that are being executed as oppose to storing cloud access credentials in GitHub actions.

OIDC in AWS #

Use OpenID Connect within your workflows to authenticate with Amazon Web Services.

OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets.

Example Get AWS permissions GitHub Action o assume an IAM role.

      - name: Get AWS permissions
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::450226343468:role/GitHubDemo1 # Role ARN
          aws-region: us-east-1 # Location of the S3 Bucket

ℹ️ Note: Refer to below documentation to set up OIDC in AWS:

More Information:

GitHub Actions Workflow to generate OIDC #

name: Terraform AWS GH1 Build - DEV

# NOTE: Fetch AWS Credentials

on:
  workflow_dispatch:
permissions:
  id-token: write
  contents: read

defaults:
  run:
    shell: bash
    working-directory: ./terraform-manifests

jobs:
  iac-aws-gh1-build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Configure AWS Credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::390157243794:role/tf-core-oidcRole
          aws-region: eu-west-2 # NOTE: STS API endpoint that GitHub Actions calls to assume the role is regional. Region must match where OIDC Provider have been deployed (terraform-core/aws-oidc/c5-oidc-provider.tf)

My exmaple GitHub repositories using GitHub Actions and OICD to deploy Terraform against AWS:

» Sources « #

More On GitHub Actions Security:

General overview & important concepts: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
More on Secrets: https://docs.github.com/en/actions/security-guides/encrypted-secrets
Using GITHUB_TOKEN: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
Advanced - Preventing Fork Pull Requests Attacks: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Security Hardening with OpenID Connect: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

» Disclaimer « #

This series draws heavily from Maximilian Schwarzmüller’s GitHub Actions - The Complete Guide course on Udemy.

About the instructor:
🌐 Website	📺 YouTube
💼 LinkedIn	🗃️ GitHub

My Repos for this section:
cicd-gh-actions-course	Learnings from "GitHub Actions - The Complete Guide" on Udemy.

ℹ️Shared for educational purposes only, no rights reserved.