GitHub Actions: Secure cloud deployments with OpenID Connect

GitHub Actions now supports OpenID Connect (OIDC) for secure deployments to cloud, which uses short-lived tokens that are automatically rotated for each deployment.
This enables:

  • Seamless authentication between Cloud Providers and GitHub without the need for storing any long-lived cloud secrets in GitHub
  • Cloud Admins can rely on the security mechanisms of their cloud provider to ensure that GitHub Actions workflows get the minimal access for cloud resources. There is no duplication of secret management in GitHub and the cloud.

How this works:

  1. Developers set up OIDC trust on their cloud roles to manage access between their deployment workflows and cloud resources.
  2. In each deployment, GitHub Actions workflow presents an autogenerated OIDC JWT token to the cloud provider
  3. Cloud provider validates the claims in the OIDC token against the cloud role definition and provides a cloud access token to connect and deploy to the Cloud only during the workflow run.

image

Learn more about Security hardening your GitHub Workflows using OpenID Connect.