[DevOps] Investigate OIDC as a replacement for some or all access key usage.

[ndouglas]

User Story

As an engineer, I want to investigate using OIDC for GitHub Actions where possible to improve security and reduce credential rotation and the risk of exposure.

OIDC seems to be a promising candidate to replace our current IAM credential rotation process. Our work on the AWS account migration is a fantastic time to investigate this.

Tasks

• [x] [DevOps] Determine whether we can use OIDC instead of access keys.
• [x] [DevOps] Have conversations, open SNOW tickets, etc as necessary.

Acceptance Criteria

• [x] Suitability or unsuitability of OIDC for our purposes has been documented in this thread.
• [x] Ticket(s) opened as necessary to address followups.

[ndouglas]

This looks good so far but I can't actually create any roles or do anything else.

[ndouglas]

RITM11761422 is tracking creation of the OIDC provider and associated roles/policies for further action.

[olivereri]

RITM11761422 is closed. OIDC Web Identity is created in VAEC-CIE and integrates with Checkin-Devops when an IMA role is created in the account.