The cryptographically signed identity token includes information about the current workflow, like repository, branch, and workflow name. Instead of multiple GitHub Actions workflows in a repository getting access to the same long-lived service account token, with OIDC, a workflow can request a short-lived identity token representing exactly that workflow run. You can leverage GitHub Actions OIDC issuing capabilities and the Kubernetes OIDC authentication strategy to eliminate manually distributing and managing long-lived credentials. I outline the required configuration in GitHub and Kubernetes, concluding with a showcase of an end-to-end demo deployment without static credentials.īoth GitHub and Kubernetes implement OpenID Connect (OIDC), an open standard for decentralized authentication.
In this blog, I show how you can move from storing static service accounts in the GitHub Actions Secret store to using dynamic workload identities for authentication in Kubernetes. As a result, multiple workflows might share the same service account credentials, making them hard to track and keep secure. Automated pipelines transporting updates from merged Pull Request over automatic tests to production in Kubernetes often require high-privileged, long-lived service account credentials. Insufficient credential hygiene is one of the top security threats to automatic CI/CD pipelines and connected environments ( Top 10 CI/CD Security Risks – cidersecurity.io).
#Github actions contexts update#
Update (): Another approach leveraging Kubernetes’ native credential plugin is now available at the end of this post.
0 kommentar(er)
