Actions: Enhancements to Open ID Connect support to enable secure cloud deployments at scale

[github-product-roadmap]

Summary

Organisations want to standardise their security and deployment workflows using OpenID Connect (OIDC) based cloud policies to define access to specific resources in AWS, Azure, GCP, and other clouds. However this configuration experience is complex for our multi-cloud customers because each cloud has a different way of defining these.

Now, GitHub Actions provides an API that allows customers to customise the OIDC claims sent to each cloud. This allows customers to have a single configuration across all their clouds and meet their compliance and security needs - such as requiring that all deployments for a set of repositories use the same 'Deploy to Kubernetes' workflow that their DevSecOps team has pre-approved.

Intended Outcome

• Enable enterprises to use reusable workflows and OIDC to enforce consistent deployments across repositories, organizations, or the enterprise.
• Enable OIDC policies based on repo visibility to restrict only private repositories within an organization to assume the cloud role.
• Enable robust and reliable OIDC claims with system generated GUIDs that do not change between renames of entities (ex: repository renames)
• Support advanced OIDC policies based on custom combinations of claims (Eg: environment and branch, branch and actor etc.)

How will it work?

With the new API based OIDC configuration enabled by GitHub, developers can now customize the format of standard OIDC claims like “subject” and “Issuer” to further standardize and security harden their deployment steps across all the clouds. We are also adding additional claims like repo ID and repo visibility into the OIDC token to enable more advanced OIDC policies.