GitHub: Actions OpenID Connect (OIDC)

Ambily KK Ambily KK

Ambily KK

DevOps Specialist | GitHub Specialist | Azure Architect | YouTuber | Speaker | Developer | Author

发布日期: 2022年11月11日
+ 关注

OpenID Connect enable the actions or workflows to get short lived tokens from cloud providers. This eliminate the need for hardcoded tokens saved as secrets in GitHub or in an external key vault. Moreover, it address the token rotation requirements or handling token expiry issues. Currently, GitHub actions supports the OIDC with AWS, Azure, Google and HashiCorp Vault.?

OIDC trust have mainly audience and subject identifier. Audience defines the Idp provider who issues the tokens. Whereas subject or sub defines the scope of the GitHub conditions.

Subject identifier definition as part of the OpenID Connect in AWS supports wild cards like ‘*’ and partial condition like StringLike. For example, if you want to use the same OIDC for entire organization, you can define a sub as 

"Condition": {

? "StringLike": {
    --------------------------
??? "token.actions.githubusercontent.com:sub": "repo:{orgname}/*"

? }

}

If it is for a particular repository in an organization, you can define it as 


"repo:{orgname}/{reponame}:*"

?Please refer AWS OpenID Connect documentation for more details on subject claim formation.

OpenID Connect in Azure will not support the partial matching or wildcards. For defining a consistent OIDC subject claim for Azure OIDC, one can use the GitHub APIs. I have published a new custom action to GitHub Marketplace to address the need for custom OIDC subject claim at organization and repository level.?

Actions Custom OIDC Claim action supports the enforcement of custom OIDC subject claim at repository and organization level. Moreover, this action can be used to revert back to the default subject claim.

要查看或添加评论,请登录

Ambily KK的更多文章

  • Why GitHub Actions?
    2023年3月2日

    Why GitHub Actions?

    GitHub Actions, the extensible scalable automation framework from GitHub, have many differences compared to the other…

  • GitHub Administration: Notify Security setting changes
    2022年10月28日

    GitHub Administration: Notify Security setting changes

    GitHub enables the Shift Left Security paradigm using GitHub Advanced Security (GHAS) features. Main features of GHAS…

  • Azure: Resource Analysis
    2022年10月14日

    Azure: Resource Analysis

    Recently, one of my friend asked about the Azure resource visualization and management. As an Azure Administrator, he…

  • GitHub: Automation
    2022年9月13日

    GitHub: Automation

    Many organizations use the terms DevOps and Automation interchangeably. DevOps can be defined as a combination of…

  • GitHub: Project Management
    2022年8月29日

    GitHub: Project Management

    GitHub is one of the main DevSecOps platform with lot of developer friendly features. GitHub was used for a long time…

    2 条评论
  • GitHub GraphQL
    2022年6月8日

    GitHub GraphQL

    GraphQL is an open-source data query language for APIs. GraphQL is one of the widely adopted query language by modern…

  • GitHub: Deployment Management
    2022年5月26日

    GitHub: Deployment Management

    GitHub is one of the leading DevOps platforms to orchestrate end-to-end DevOps implementation. GitHub's actions and…

  • GitHub Custom actions: Reusable modules
    2022年5月20日

    GitHub Custom actions: Reusable modules

    GitHub actions are playing a major role in DevOps adoption across many organizations. GitHub provides set of actions to…

  • POV: Enterprise DevOps Transformation
    2022年4月21日

    POV: Enterprise DevOps Transformation

    DevOps is one of the Core practices followed in modern application development. Many organizations started the DevOps…

  • Cloud Migration: Oracle Database
    2022年4月9日

    Cloud Migration: Oracle Database

    I have started my journey to expand my cloud knowledge with other cloud platforms. Based on my understanding, if you…

    2 条评论

社区洞察

其他会员也浏览了