Secure AWS Authentication with OIDC for GitHub Actions

By /

Listen to this Post

Featured Image

Introduction

Hardcoded credentials in AWS workflows pose significant security risks, including unauthorized access and credential leakage. OpenID Connect (OIDC) provides a secure alternative by establishing trust between AWS and GitHub, enabling short-lived, auto-expiring tokens. This article explores how to implement OIDC with Terraform for GitHub Actions, enhancing security in CI/CD pipelines.

Learning Objectives

  • Understand the risks of hardcoded AWS credentials and the benefits of OIDC.
  • Configure OIDC trust between GitHub and AWS using Terraform.
  • Implement secure, short-lived tokens for GitHub Actions workflows.
  1. Setting Up OIDC Trust with AWS and GitHub

Terraform Configuration for OIDC Provider

resource "aws_iam_openid_connect_provider" "github_oidc" {
url = "https://token.actions.githubusercontent.com"
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
}

Steps:

  1. Define the OIDC Provider: The above Terraform code registers GitHub as an OIDC issuer in AWS IAM.
  2. Verify Thumbprint: Ensure the thumbprint matches GitHub’s SSL certificate (check GitHub’s OIDC documentation).
  3. Apply Configuration: Run `terraform apply` to create the identity provider in AWS.
    1. Creating an IAM Role for GitHub Actions

Terraform IAM Role Policy

resource "aws_iam_role" "github_actions_role" {
name = "GitHubActionsOIDCRole"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [{
Effect = "Allow",
Principal = {
Federated = aws_iam_openid_connect_provider.github_oidc.arn
},
Action = "sts:AssumeRoleWithWebIdentity",
Condition = {
StringLike = {
"token.actions.githubusercontent.com:sub" = "repo:your-org/your-repo:"
}
}
}]
})
}

Steps:

  1. Define Trust Policy: The role allows GitHub’s OIDC provider to assume it.
  2. Restrict Access: Adjust the `Condition` block to limit access to specific repositories/branches.
  3. Attach Permissions: Use `aws_iam_role_policy_attachment` to grant necessary AWS permissions (e.g., S3, EC2).

3. Configuring GitHub Actions Workflow

GitHub Actions YAML Example

jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write  Required for OIDC
steps:
- uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsOIDCRole
aws-region: us-east-1

Steps:

  1. Enable OIDC: Set `id-token: write` in workflow permissions.
  2. Assume AWS Role: The `configure-aws-credentials` action fetches temporary credentials using OIDC.
  3. Test Deployment: Verify AWS actions (e.g., aws s3 ls) work without hardcoded secrets.

4. Revoking Trust in Case of Compromise

AWS CLI Command to Delete OIDC Provider

aws iam delete-openid-connect-provider \
--openid-connect-provider-arn "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"

Steps:

  1. Identify Compromised Entity: Audit GitHub repositories or AWS roles.
  2. Remove Trust Relationship: Delete the OIDC provider to block all associated access.
  3. Rotate Credentials: Revoke any temporary tokens issued via sts:GetCallerIdentity.

5. Troubleshooting OIDC Issues

AWS IAM Policy Simulator Check

aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:role/GitHubActionsOIDCRole \
--action-names "s3:ListBuckets"

Steps:

  1. Verify Permissions: Use the simulator to test if the role has the required access.
  2. Check Trust Policy: Ensure the GitHub repo/branch matches the `Condition` in the IAM role.
  3. Inspect Token Claims: Decode the GitHub OIDC token (JWT) to validate the `sub` claim.

What Undercode Say

  • Key Takeaway 1: OIDC eliminates long-term credentials, reducing attack surfaces like credential theft or misuse.
  • Key Takeaway 2: Terraform automates OIDC setup, ensuring consistent and auditable AWS-GitHub trust policies.

Analysis:

OIDC is a game-changer for DevOps security, but its adoption requires careful configuration. While GitHub and AWS integrate seamlessly, air-gapped systems (like GitLab) may need alternatives like IAM Anywhere. Future improvements could include automated rotation of OIDC provider certificates and tighter condition scoping (e.g., commit SHA validation).

Prediction

As cloud-native workflows grow, OIDC will become the standard for CI/CD authentication, replacing static keys entirely. AWS may expand OIDC support to more Git providers, while tools like Terraform will simplify cross-cloud OIDC implementations. Enterprises must prioritize this shift to mitigate supply-chain risks.

IT/Security Reporter URL:

Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: