docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon github

Document id-token permission

Open jmandel opened this issue 2 years ago • 3 comments

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings

What changes are you suggesting?

I'm struggling to understand what the word "write" means here. Why is the permission called "write"? It appears to be providing red access to a token.

Is something being written? If so, what and by whom? Or is the permission called "write" for some other reason (e.g., something historical, referential, or arcane)? It'd be great to explain this just a tiny bit more.

https://github.com/github/docs/issues/14626#issuecomment-1570227986 for context

Additional information

No response

jmandel avatar Jun 13 '23 12:06 jmandel

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar Jun 13 '23 12:06 welcome[bot]

@jmandel 👋 - Thanks for opening this issue! I'll get this triaged for review! :zap:

cmwilson21 avatar Jun 13 '23 13:06 cmwilson21

@jmandel, I understand your confusion with the id-token permission.

As far as I understand it, according to the current documentation, write will allow your cloud provider to send an access token to GitHub's OICD provider and receive a JWT token as a response. The GitHub action can then use this JWT token to establish trust with the cloud provider without using hard-coded secrets. I, therefore, think the decision to name this option write comes from the fact that we want to write these "short-lived access tokens" to the GitHub backend (see about-security-hardening-with-openid-connect#getting-started-with-oidc and about-security-hardening-with-openid-connect#adding-permissions-settings).

image

Personally, what confuses me the most is the read option. This option is not documented and, from my tests, even seems to be deprecated since it functions similarly to none (see https://github.com/github/docs/issues/26481). Maybe somebody from @github can clarify this for us.

rickstaa avatar Jul 02 '23 09:07 rickstaa

Very good setting

Scull431 avatar Sep 14 '23 06:09 Scull431

Thanks for you

On Thu, Sep 14, 2023, 12:55 Scull431 @.***> wrote:

Very good setting

— Reply to this email directly, view it on GitHub https://github.com/github/docs/issues/25952#issuecomment-1718833343, or unsubscribe https://github.com/notifications/unsubscribe-auth/BBX35Y4RS2GVR5IYOZ6BJ2LX2KPNFANCNFSM6AAAAAAZE2K5SM . You are receiving this because you are subscribed to this thread.Message ID: @.***>

Kyawgyi99999 avatar Sep 14 '23 07:09 Kyawgyi99999