Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Passwordless Cloud Deployments with GitHub Actions

Passwordless Cloud Deployments with GitHub Actions

This item in japanese

GitHub’s CI/CD service offering, GitHub Actions, now supports the use of Open Identity Connect credentials to authenticate against cloud providers such as HashiCorp Vault, AWS, Azure and GCP without the use of long-lived credentials or passwords.

Modern development in the cloud usually requires the authentication of a Continuous Integration and Continuous Deployment (CI/CD) server against a cloud provider, for the purposes of making changes to provisioned infrastructure. Historically this would have been via the creation of an identity within the cloud provider that the CI/CD server could assume by utilising a set of long-lived and manually set credentials. Given the purpose of these credentials, their compromise has always presented a significant business risk.

The OpenID Connect authentication protocol is an interoperable mechanism for providing verifiable information about a user’s identity. Given the identity provider of the user is one that the verifying party is able to trust, the relevant user data can be provided as claims in a Json Web Token (JWT) called the ID Token.

With GitHub Actions, the first step is the registration of GitHub as an external identity source within the cloud provider’s Identity and Access Management configuration. On execution of workflows, pipelines then have access to an ID Token scoped to the unique run of the pipeline. The token includes the desired audience of the token and an identifier of its bearer amongst other metadata.

The cloud provider can then use this information to issue short-lived credentials, e.g. access tokens, for any subsequent operations. GitHub Actions currently supports this with Hashicorp Vault, Amazon Web Services, Azure and Google Cloud Platform.

The reception to the new feature since its release has been largely positive, with Mitchell Hashimoto, founder at Hashicorp, tweeting:

With the recent discovery that GitHub Actions create an OIDC identity per run, it's possible to configure Vault to allow auth w/ Actions identities and subsequently use that to get access to... anything. Some cleanup required but this is very promising!

Despite the warm reception, adoption appears to have been slower than expected, with Nico Meisenzahl, head of DevOps Consulting & Operations at WhiteDuck, tweeting:

Is #OIDC authentication with Cloud providers and #Kubernetes in #GitHub Actions already a big thing out there? I see many advantages, but not many who have already adopted it.

Following GitHub’s release of the functionality in late 2021, other CI/CD providers have added a similar integration to their offering. GitLab version 15.7 released in late 2022 included support for access to HashiCorp Vault, AWS, Azure and GCP while Circle CI announced their support for GCP and AWS integration in February 2023.

GitHub Actions OIDC login with cloud providers is available on all plans at no additional cost.

About the Author

Rate this Article