45. What’s the magic of OIDC identity providers?

Jul 14, 2022

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ADVICE

Avoid Hardcoded Credentials

Avoid hardcoding credentials directly into CI/CD tools for AWS deployments.
This is insecure and poses significant security risks.

INSIGHT

OIDC for Secure Connections

OIDC (OpenID Connect) offers a more secure way to connect CI/CD pipelines to AWS.
It avoids the need for hardcoded credentials, enhancing security.

INSIGHT

Long-lived vs. Short-lived Credentials

Classic authentication involves long-lived credentials (access key, secret access key), which are vulnerable to leaks.
OIDC provides a more secure alternative using short-lived credentials and temporary access.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

If you are thinking of using an external CICD tool to deploy to AWS you are probably wondering how to securely connect your pipelines to your AWS account.

You could create a user for your CICD tool of choice and copy some hard coded credentials into it, but, let’s face it: this doesn’t feel like the right - or at least the most secure - approach!

In the previous episode we discussed how AWS and GitHub solved this problem by using OIDC identity providers and this seems to be a good solution to the problem.

In this episode of AWS Bites we will try to demystify the secrets of OIDC identity providers and explain how they work and what’s the trust model between AWS and an OIDC provider like GitHub actions. We will also explain all the steps required to integrate AWS with GitHub, how JWT works in this particular scenario and other use cases where you could use OIDC providers.

In this episode, we mentioned the following resources:

- GitHub docs explaining how to integrate with AWS as an OIDC provider: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

- Article “What’s in a JWT” https://loige.co/whats-in-a-jwt

- jwtinfo, CLI tool to inspect JWT: https://github.com/lmammino/jwtinfo

- AWS action to assume a role from a GitHub Pipeline: https://github.com/aws-actions/configure-aws-credentials#assuming-a-role

- Great post by Elias Brange detailing how to setup GitHub OIDC integration for AWS: https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/

- Previous episode on why you should consider GitHub Actions rather than AWS CodePipeline: https://awsbites.com/44-do-you-use-codepipeline-or-github-actions/

This episode is also available on YouTube: https://www.youtube.com/AWSBites

You can listen to AWS Bites wherever you get your podcasts. See https://awsbites.com for all the links.

Do you have any AWS questions you would like us to address?

Connect with us on Twitter:
- https://twitter.com/eoins
- https://twitter.com/loige

45. What’s the magic of OIDC identity providers?

Avoid Hardcoded Credentials

OIDC for Secure Connections

Long-lived vs. Short-lived Credentials

Connect with us on Twitter: - https://twitter.com/eoins - https://twitter.com/loige

Connect with us on Twitter:
- https://twitter.com/eoins
- https://twitter.com/loige