GitHub Action security hardening with OpenID (OIDC) Connect - "Password-Less"
ZEK
Posted on September 29, 2024
If your workflow performs operations on cloud resources, you should seriously consider using OIDC to enhance security and efficiency.
Why Use OpenID Connect (OIDC)?
GitHub Actions workflows often need access to cloud providers like AWS, Azure, GCP, or HashiCorp Vault to deploy software or use services. Traditionally, this has required storing credentials as GitHub secrets, which involves manually creating and duplicating them.
With OIDC, you can eliminate the need for long-lived secrets. Instead, workflows can directly request short-lived access tokens from the cloud provider. This approach is supported by cloud platforms such as AWS, Azure, GCP, and HashiCorp Vault, which require an OIDC trust relationship to be set up.
Key Benefits of Using OIDC for GitHub Actions
No More Long-Lived Secrets
OIDC eliminates the need for hardcoded credentials in GitHub secrets. By configuring OIDC trust in your cloud provider, each workflow requests a short-lived access token, drastically reducing the risk of credential leakage.Granular Security Control
OIDC allows you to manage authentication (authN) and authorization (authZ) directly through your cloud provider. This enables fine-grained control over which workflows access specific cloud resources, providing more secure, role-based access management.Automatic Credential Rotation
OIDC generates short-lived tokens for every workflow run, which are valid only for that specific job. These tokens automatically expire after use, minimizing security risks and eliminating the need for manual secret rotation.
Adopting OIDC strengthens your security posture while simplifying credential management, making it an essential best practice for any team using GitHub Actions with cloud services like AWS, Azure, or Google Cloud. It streamlines operations and minimizes manual effort, ensuring that your workflows remain secure and efficient.
Instead of repeating steps already covered by many here are some trusted resources that explain how to implement OIDC in detail
Further Resources for Implementing OIDC
GitHub Docs: Security Hardening with OIDC
GitHub Docs: Configuring OIDC in AWS
GitHub Docs: Configuring OIDC in GCP
Posted on September 29, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
September 29, 2024