Skip to main content

CI/CD with OIDC

ยท 3 min read
Guille Vigil

๐Ÿš€ Leveraging OIDC for Enhanced Security and Efficiency Between GitHub Actions/GitLab CI and AWS ๐Ÿ”’

In the rapidly evolving landscape of DevOps and cloud computing, the integration of GitHub Actions or GitLab CI with AWS using OpenID Connect (OIDC) stands out as a game changer. Here's why embracing OIDC can significantly benefit your CI/CD pipelines:

  1. Enhanced Security: OIDC eliminates the need to store long-lived credentials like AWS access keys in your GitHub or GitLab repositories. This reduces the risk of credential leakage and enhances the overall security of your deployment processes.

  2. Seamless Identity Federation: OIDC allows AWS to trust GitHub Actions or GitLab CI to authenticate users, streamlining the identity verification process. This simplifies user management and ensures a more secure and efficient authentication mechanism.

  3. Automated Role Assumption: With OIDC, specific AWS roles can be assumed directly in GitHub Actions or GitLab CI pipelines. This facilitates granular permission control and ensures that only necessary permissions are granted for each task, enhancing both security and compliance, following the principle of least privilege.

  4. Scalability and Flexibility: OIDC enables a more scalable and flexible approach to managing cloud resources. As your project grows, it's easy to update and manage permissions without altering the underlying infrastructure.

  5. Cost-Effective: By leveraging OIDC, there's a reduction in the management overhead associated with credential rotation and management, potentially leading to cost savings and reduced operational complexity.

๐Ÿ”— Integrating OIDC with your CI/CD pipelines in GitHub Actions or GitLab CI not only fortifies your security posture but also streamlines your operational workflows. It's a win-win for teams looking to enhance their cloud capabilities in a secure and efficient manner.

Official Documentation

Note that other cloud providers like Azure or GCP have also OIDC integrations with GitHub Actions or GitLab CI. And other CI/CD tools like Azure DevOps may have OIDC integrations with cloud providers. Find your best combination!

If you are using GitHub Actions and AWS, you can use our open sourced Terraform module to create IAM related resources and handle permissions for different branches or tags:

module "github-oidc-aws-role" {
  source            = "github.com/resizes/platform-terraform-module-github-oidc-aws-role?ref=main"
  name              = ${ROLE_NAME}
  org_name          = ${ORG_NAME}
  condition_test    = ${CONDITION_TEST}
  actions = [ ${ALLOWED_ACTIONS} ]
  assume_role_policy_condition_values = [
    "repo:${ORG_NAME}/${REPO}:ref:refs/heads/${BRANCH}",
    "repo:${ORG_NAME}/${REPO}:ref:refs/tags/${TAG}"
  ]
}

If you like our repository, please give us a star โญ๏ธ and follow us on GitHub!