Что нового?

Welcome to Цифровая крепость / Digital Fortress

Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?

Ask question

Ask Questions and Get Answers from Our Community

Answer

Answer Questions and Become an Expert on Your Topic

Contact Staff

Our Experts are Ready to Answer your Questions

Обсуждение Secure deployments with OpenID Connect & GitHub Actions now generally available

Git

Квартирмейстер
Premium
Регистрация
09.02.2010
Сообщения
264
Реакции
55
Баллы
23
Credits
30
Native language | Родной язык
English
Continuous delivery workflows in GitHub Actions can deploy software, create and update cloud infrastructure, and use other services in a cloud provider, like Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), or HashiCorp.

As a part of our effort to make GitHub Actions easier and more secure, we are announcing general availability of GitHub Actions support for Как увидеть ссылки? | How to see hidden links?. Now that Actions supports OIDC, you can take a more secure cloud deployment approach by configuring your workflow to request a short-lived access token directly from the cloud provider. Many providers support OIDC, including AWS, Azure, GCP, and HashiCorp Vault.

OIDC + GitHub Actions =​


Without OIDC, you would need to store a credential or token as an Как увидеть ссылки? | How to see hidden links? in GitHub and present that secret to the cloud provider every time it runs. The new OIDC support gives you a very clear separation of the configuration that you need to manage in GitHub and the permissions that you need to manage in the cloud portal, making cloud deployments simpler to set up and more secure.

No long-lived cloud secrets: You won’t need to add long-lived cloud credentials as GitHub secrets and worry about token expiry and rotating them. Instead, you can configure the OIDC trust on your cloud provider, and then update your workflows to request a short-lived access token from the cloud provider through OIDC.

Authentication and authorization management: You have more granular control over which workflows can access cloud resources by using your cloud provider’s authentication (authN) and authorization (authZ) tools.

Rotating credentials: With OIDC, your cloud provider issues a short-lived access token that is only valid for a single workflow job, and then automatically expires.

How it works​

  1. Developers set up OIDC trust on their cloud roles to manage access between their deployment workflows and cloud resources.
  2. In each deployment, a GitHub Actions workflow can now mint an auto-generated OIDC token. This token has all the metadata needed to get a secure, verifiable identity for the workflow that’s trying to authenticate.
  3. Cloud login actions can fetch this token and present it to their respective clouds.
  4. The cloud provider then validates the claims in the OIDC token against the cloud role definition and provides a short-lived access token. Actions and steps within the same workflow job can use this access token to connect and deploy to the cloud resources. The token expires when the workflow job completes.

OpenID Connect diagram


Get started today​


To make it easy to use OIDC to deploy, we have worked with popular cloud partners, like Как увидеть ссылки? | How to see hidden links?, Как увидеть ссылки? | How to see hidden links?, Как увидеть ссылки? | How to see hidden links?, and Как увидеть ссылки? | How to see hidden links? to add OIDC support to their official login actions. Learn more about how you can secure your cloud deployments by Как увидеть ссылки? | How to see hidden links?. Additionally, check out our Как увидеть ссылки? | How to see hidden links? on Open ID Connect (OIDC) support in GitHub.
 
shape1
shape2
shape3
shape4
shape7
shape8