1 min read
OIDC Tokens in GitHub Actions
OpenID Connect (OIDC) tokens in GitHub Actions enable secure, short-lived authentication to cloud providers without storing long-lived credentials. This post covers OIDC setup for Azure, AWS, and GCP.
OIDC with Azure
name: Deploy to Azure with OIDC
on:
push:
branches: [main]
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- run: az webapp deploy --name myapp --src-path ./distOIDC with AWS
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::123456789:role/github-actions
aws-region: us-east-1
- run: aws s3 sync ./dist s3://my-bucketOIDC with GCP
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: google-github-actions/auth@v1
with:
workload_identity_provider: projects/123/locations/global/workloadIdentityPools/github/providers/github
service_account: github-actions@project.iam.gserviceaccount.com
- run: gcloud run deploy myservice --source .OIDC eliminates the need for long-lived cloud credentials, improving security posture.