DEV Community

ZEK
ZEK

Posted on

1 1 1

GitHub Action security hardening with OpenID (OIDC) Connect - "Password-Less"

If your workflow performs operations on cloud resources, you should seriously consider using OIDC to enhance security and efficiency.

Why Use OpenID Connect (OIDC)?

GitHub Actions workflows often need access to cloud providers like AWS, Azure, GCP, or HashiCorp Vault to deploy software or use services. Traditionally, this has required storing credentials as GitHub secrets, which involves manually creating and duplicating them.

With OIDC, you can eliminate the need for long-lived secrets. Instead, workflows can directly request short-lived access tokens from the cloud provider. This approach is supported by cloud platforms such as AWS, Azure, GCP, and HashiCorp Vault, which require an OIDC trust relationship to be set up.

Image description

Key Benefits of Using OIDC for GitHub Actions

  1. No More Long-Lived Secrets
    OIDC eliminates the need for hardcoded credentials in GitHub secrets. By configuring OIDC trust in your cloud provider, each workflow requests a short-lived access token, drastically reducing the risk of credential leakage.

  2. Granular Security Control
    OIDC allows you to manage authentication (authN) and authorization (authZ) directly through your cloud provider. This enables fine-grained control over which workflows access specific cloud resources, providing more secure, role-based access management.

  3. Automatic Credential Rotation
    OIDC generates short-lived tokens for every workflow run, which are valid only for that specific job. These tokens automatically expire after use, minimizing security risks and eliminating the need for manual secret rotation.

Adopting OIDC strengthens your security posture while simplifying credential management, making it an essential best practice for any team using GitHub Actions with cloud services like AWS, Azure, or Google Cloud. It streamlines operations and minimizes manual effort, ensuring that your workflows remain secure and efficient.

Instead of repeating steps already covered by many here are some trusted resources that explain how to implement OIDC in detail

Further Resources for Implementing OIDC

GitHub Docs: Security Hardening with OIDC

GitHub Docs: Configuring OIDC in AWS

GitHub Docs: Configuring OIDC in GCP

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

đź‘‹ Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay