Unleashing the Power of OpenID Connect: Safeguarding the Realm of GitHub with AWS Authentication Magic!
At Vgrow Solutions we use GitHub as a collaboration platform. GitHub Workflows are the backbone of our software development process, seamlessly orchestrating the integration, testing, and deployment of our code to the Cloud Realm, powered by AWS.
However, I encountered a significant challenge that made me question the security of our workflow setup. Our workflows required access to AWS resources, which necessitated storing AWS credentials within GitHub as secrets. This traditional approach raised concerns about the safety and integrity of our sensitive credentials.
Understanding the risks associated with storing credentials in GitHub, I set out on a quest to find a more secure alternative. Through research and conversations with fellow DevOps practitioners, I discovered the transformative power of OpenID Connect (OIDC) as a solution to our predicament.
Intrigued by the potential of OIDC, I shared my findings with the VGrow Solutions team, highlighting the drawbacks of storing AWS credentials in GitHub and the advantages offered by OIDC:
- Security Vulnerabilities: Storing AWS credentials as secrets within GitHub exposed us to potential security breaches. If unauthorized access were gained to our GitHub repository, the credentials could be compromised, leading to severe consequences such as data breaches or unauthorized resource access.
- Limited Credential Rotation: Storing credentials in GitHub required manual rotation, which introduced human error and delays in maintaining secure access to AWS resources. OIDC, on the other hand, provided an automated and seamless mechanism for rotating credentials without compromising security.
- Centralized Authentication: OIDC allowed us to establish a centralized identity provider within the Cloud Realm. By utilizing OIDC, we could authenticate and authorize our workflows securely, without the need to store sensitive credentials within GitHub.
- Ephemeral Web Identity: OIDC facilitated the concept of ephemeral roles with web identity, eliminating the need to store long-lived AWS credentials. This ephemeral nature of identity reduced the risk of potential compromise, as the credentials were generated dynamically for each workflow execution.
Convinced of the benefits and the need for a more secure approach, VGrow Solutions has embraced the OIDC solution. We embarked on a journey to implement OIDC within our workflows, leveraging the “aws-actions/configure-aws-credentials” GitHub Action and configuring it to utilize OIDC for authentication.
VGrow makes use of Infrastructure as Code using hashicorp terraform to handle our infrastructure
here’s the steps involved in the implementation using terraform which is quite simple but highly effective
making use of terraform module “unfunco/oidc-github/aws”
it creates the following
- a GitHub oidc IdP provider within aws iam,
- creates a role which the IdP authenticated users will assume [ using a trust policy with action as “sts:AssumeRoleWithWebIdentity” along with a permissions policy associated to grant specific access to resources
this covers most of ground needed to implement the solution on the AWS side, there are different variable available to configure the module further (e.g. to add admin policy ) which you can find out more about here: https://github.com/unfunco/terraform-aws-oidc-github/tree/main#inputs
- finally in your Github workflow
Our workflows seamlessly interacted with the Cloud Realm, securely authenticated through OIDC, without the exposure of sensitive AWS credentials within GitHub. We no longer had to worry about the risks associated with storing credentials in an external platform.
Our decision to adopt OIDC not only enhanced the security of our workflows but also solidified VGrow Solutions’ reputation as a trusted and security-conscious company. Clients recognized our commitment to protecting their valuable data and entrusted us with their cloud solutions needs.
