ankneis
commented
2 years ago 🚢 This has shipped to dotcom: https://github.blog/changelog/2022-08-23-github-actions-enhancements-to-openid-connect-support-to-enable-secure-cloud-deployments-at-scale/. Leaving open to track for GHES release.
Summary
Organisations want to standardise their security and deployment workflows using OpenID Connect (OIDC) based cloud policies to define access to specific resources in AWS, Azure, GCP, and other clouds. However this configuration experience is complex for our multi-cloud customers because each cloud has a different way of defining these.
Now, GitHub Actions provides an API that allows customers to customise the OIDC claims sent to each cloud. This allows customers to have a single configuration across all their clouds and meet their compliance and security needs - such as requiring that all deployments for a set of repositories use the same 'Deploy to Kubernetes' workflow that their DevSecOps team has pre-approved.
Intended Outcome
How will it work?
With the new API based OIDC configuration enabled by GitHub, developers can now customize the format of standard OIDC claims like “subject” and “Issuer” to further standardize and security harden their deployment steps across all the clouds. We are also adding additional claims like repo ID and repo visibility into the OIDC token to enable more advanced OIDC policies.