oidc

Subscribe to all “oidc” posts via RSS or follow GitHub Changelog on Twitter to stay updated on everything we ship.

~ cd github-changelog
~/github-changelog|main git log main
showing all changes successfully

OpenID Connect (OIDC) support in GitHub Actions enables secure cloud deployments using short-lived tokens that are automatically rotated for each deployment.

You can now use the enhanced OIDC support to configure the subject claim format within the OIDC tokens, by defining a customization template at either org or repo levels. Once the configuration is completed, the new OIDC tokens generated during each deployment will follow the custom format.

This enables organization & repository admins to standardize OIDC configuration across their cloud deployment workflows that suits their compliance & security needs.

Learn more about Security hardening your GitHub Workflows using OpenID Connect.

See more

OpenID Connect (OIDC) support in GitHub Actions is now enhanced to support secure cloud deployments at scale.

Org & repo admins can use the new OIDC API support to:

  • enable a standard OIDC configuration across their cloud deployment workflows by customizing the subject claim format.
  • ensure additional compliance & security for their OIDC based deployments by appending the issuer url with their enterprise slug
  • configure advanced OIDC policies by using the additional OIDC token claims like repository_id and repo_visibility.

Learn more about Security hardening your GitHub Workflows using OpenID Connect.

See more

GitHub Actions now supports OpenID Connect (OIDC) for secure deployments to cloud, which uses short-lived tokens that are automatically rotated for each deployment.
This enables:

  • Seamless authentication between Cloud Providers and GitHub without the need for storing any long-lived cloud secrets in GitHub
  • Cloud Admins can rely on the security mechanisms of their cloud provider to ensure that GitHub Actions workflows get the minimal access for cloud resources. There is no duplication of secret management in GitHub and the cloud.

How this works:

  1. Developers set up OIDC trust on their cloud roles to manage access between their deployment workflows and cloud resources.
  2. In each deployment, GitHub Actions workflow presents an autogenerated OIDC JWT token to the cloud provider
  3. Cloud provider validates the claims in the OIDC token against the cloud role definition and provides a cloud access token to connect and deploy to the Cloud only during the workflow run.

image

Learn more about Security hardening your GitHub Workflows using OpenID Connect.

See more