Integrating OpenID Connect with GitHub Actions: A Secure Path to CI/CD Automation

Author:

Akash Gupta | Sr. VoIP Engineer | MLOps

Introduction

In the realm of Continuous Integration/Continuous Deployment (CI/CD), security and automation are key components that drive the efficiency and reliability of software development workflows. OpenID Connect (OIDC) has emerged as a powerful standard for authentication, providing a secure and streamlined way to integrate CI/CD pipelines with various cloud services. This blog post explores the integration of OIDC with GitHub Actions, offering a secure method to deploy and manage cloud resources without the need for static, long-lived credentials.

Understanding OIDC and GitHub Actions

OIDC is an authentication layer on top of OAuth 2.0, allowing verified clients to request and receive information about authenticated sessions and end-users. GitHub Actions, a CI/CD solution provided by GitHub, supports OIDC for authenticating with cloud providers like AWS, Azure, and Google Cloud Platform (GCP), enabling a more secure and simplified access mechanism.

Benefits of Using OIDC with GitHub Actions

Security: Minimizes the risk of credential exposure by eliminating the need for storing access keys in the CI/CD pipeline.
Simplicity: Simplifies the workflow configuration and credential management process.
Compliance: Meets compliance requirements by using temporary credentials and reducing the attack surface.

Integrating OIDC with GitHub Actions: A Step-by-Step Guide

Integrating OpenID Connect (OIDC) with GitHub Actions involves two main configurations: setting up an identity provider configuration that can be utilized by a third party (GitHub Actions in this context) and then configuring your GitHub Actions workflow to use this identity for authentication. Here’s how you can easily achieve both:

For AWS steps are given below. For Azure you can follow the steps given here

Create an OIDC Identity Provider:
- Go to IAM → Identity Providers in the AWS Management Console.
- Click “Add Provider”, select “OpenID Connect”, and enter the Provider URL (https://token.actions.githubusercontent.com).
- Add “sts.amazonaws.com” as the audience.
Create an IAM Role for GitHub Actions:
- Create a new IAM role with the “Web identity” type and select the OIDC provider you created.
- Define a trust policy that allows actions from your GitHub repository to assume the role.
- Attach policies that grant the necessary permissions for your workflows.

Sample Trust Policy for AWS IAM Role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::1234:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          "token.actions.githubusercontent.com:sub": "repo:GitHubOrg/GitHubRepo:ref:refs/heads/GitHubBranch"
        }
      }
    }
  ]
}

Configuring GitHub Actions Workflow

Add Permissions to Workflow:
- Ensure your workflow has the permissions to request an OIDC token. You need to add the “permissions” block to enable OIDC authentication as shown below:

name: My Github Action Workflow

on:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read

Configure AWS Credentials Using OIDC:
- Use the aws-actions/configure-aws-credentials action to configure AWS credentials in your workflow. This step configures GitHub Actions to use the AWS role for authentication, as shown below:

- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-region: us-east-1
    role-to-assume: arn:aws:iam::1234:role/YourIAMRoleName
    role-session-name: GitHubActions

Deploy to AWS:
- After configuring credentials, add steps to deploy your application or manage AWS resources.

- name: Deploy to AWS
  run: |
    # Your deployment scripts or AWS CLI commands

By following these steps, you integrate OIDC with GitHub Actions in a way that’s both secure and simplified. This process essentially tells AWS, “Trust tokens coming from GitHub Actions,” and then tells GitHub Actions, “Use this trust to securely perform tasks in AWS.” It’s a powerful way to enhance your CI/CD pipelines with robust security and simplicity at its core.

Conclusion

Integrating OIDC with GitHub Actions revolutionizes the way developers interact with cloud services, enhancing security while maintaining the simplicity and efficiency of CI/CD workflows. By leveraging temporary, automatically rotated credentials, teams can focus on building and deploying without the overhead of managing sensitive information. This approach not only aligns with best security practices but also paves the way for more scalable and compliant cloud operations.

References

AWS Documentation: Creating IAM OIDC Identity Providers
Azure Documentation: Configuring OpenID Connect in Azure
GitHub Documentation: [Configuring AWS Credentials](https://github.com/aws-actions/configure-aws)
GitHub Docs on OIDC: Configuring OpenID Connect in cloud providers

Join 753 other subscribers

Akash Gupta
Senior VoIP Engineer and AI Enthusiast

AI and VoIP Blog

Thank you for visiting the Blog. Hit the subscribe button to receive the next post right in your inbox. If you find this article helpful don’t forget to share your feedback in the comments and hit the like button. This will helps in knowing what topics resonate with you, allowing me to create more that keeps you informed.

Thank you for reading, and stay tuned for more insights and guides!

AI and VoIP Blog