GitHub Action security hardening with OpenID (OIDC) Connect - "Password-Less"

zekakgun

ZEK

Posted on September 29, 2024

GitHub Action security hardening with OpenID (OIDC) Connect - "Password-Less"

If your workflow performs operations on cloud resources, you should seriously consider using OIDC to enhance security and efficiency.

Why Use OpenID Connect (OIDC)?

GitHub Actions workflows often need access to cloud providers like AWS, Azure, GCP, or HashiCorp Vault to deploy software or use services. Traditionally, this has required storing credentials as GitHub secrets, which involves manually creating and duplicating them.

With OIDC, you can eliminate the need for long-lived secrets. Instead, workflows can directly request short-lived access tokens from the cloud provider. This approach is supported by cloud platforms such as AWS, Azure, GCP, and HashiCorp Vault, which require an OIDC trust relationship to be set up.

Image description

Key Benefits of Using OIDC for GitHub Actions

  1. No More Long-Lived Secrets
    OIDC eliminates the need for hardcoded credentials in GitHub secrets. By configuring OIDC trust in your cloud provider, each workflow requests a short-lived access token, drastically reducing the risk of credential leakage.

  2. Granular Security Control
    OIDC allows you to manage authentication (authN) and authorization (authZ) directly through your cloud provider. This enables fine-grained control over which workflows access specific cloud resources, providing more secure, role-based access management.

  3. Automatic Credential Rotation
    OIDC generates short-lived tokens for every workflow run, which are valid only for that specific job. These tokens automatically expire after use, minimizing security risks and eliminating the need for manual secret rotation.

Adopting OIDC strengthens your security posture while simplifying credential management, making it an essential best practice for any team using GitHub Actions with cloud services like AWS, Azure, or Google Cloud. It streamlines operations and minimizes manual effort, ensuring that your workflows remain secure and efficient.

Instead of repeating steps already covered by many here are some trusted resources that explain how to implement OIDC in detail

Further Resources for Implementing OIDC

GitHub Docs: Security Hardening with OIDC

GitHub Docs: Configuring OIDC in AWS

GitHub Docs: Configuring OIDC in GCP

💖 💪 🙅 🚩
zekakgun
ZEK

Posted on September 29, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related