Published on march 15, 2023
GitHub Actions, GitHub’s CICD service offering, now supports using Open Identity Connect credentials to authenticate against cloud providers including Hashicorp Vault, AWS, Azure and GCP without requiring long-lived credentials.
For the purposes of making changes to provisioned infrastructure, modern cloud development usually requires authentication of a Continuous Integration and Continuous Deployment (CICD) server against a cloud provider. In the past, the CICD server would have been able to assume an identity within the cloud provider by utilizing a set of long-lived and manually set credentials. These credentials have always posed a significant business risk due to their purpose.
OpenID Connect is an interoperable authentication protocol that provides verifiable information about a user’s identity. The relevant user data can be provided as claims in a Json Web Token (JWT) called the ID Token if the identity provider is one that the verifying party can trust.
With GitHub Actions, the first step is to register GitHub as an external identity source within the cloud provider’s Identity and Access Management configuration. Following the execution of workflows, pipelines have access to an ID Token that is specific to the unique run of the pipeline. An identifier of the token’s bearer is included along with the token’s target audience.
This information can then be used by the cloud provider to issue short-lived credentials, e.g. access tokens, for any subsequent operations. GitHub Actions currently supports Hashicorp Vault, Amazon Web Services, Azure, and Google Cloud Platform.
In response to GitHub’s release of the functionality in late 2021, other CICD providers have added similar functionality to their platforms. The release of GitLab version 15.7 in late 2022 included support for access to Hashicorp Vault, AWS, Azure, and GCP, and Circle CI announced its support for GCP and AWS integration in February 2023.
OIDC login with cloud providers is available on all plans at no additional charge.
