Demo

Using OIDC With HashiCorp Vault and GitHub Actions

Death to static credentials! Watch this demo on how to use the OIDC Vault provider for dynamic credentials in a GitHub Actions workflows.

Storing static credentials in GitHub is fraught with peril. Static credentials can expire, be leaked, and need to be updated manually. Instead of using static credentials, why not leverage the OIDC provider for HashiCorp Vault to dynamically generate short-lived credentials for your GitHub Actions workflow?

The Secrets Zero Problem - Solutions Continuum

Dynamic secrets are the solution to all of these risks associated with static secrets, but secure introduction of the first secret into Vault to start generating dynamic secrets — known as "secret zero" — is where you risk falling back into the dangers of static secrets.

In this talk by Ned Bellavance (i.e. Ned in the Cloud), you'll learn about this problem in the context of using HashiCorp Vault for secrets management and GitHub Actions for your deployment workflow.

In this context, Ned describes four different methods for the secure introduction of secret zero. The methods, listed here, get progressively more dynamic — with less chance of a long-lived or overly broad permissioned secret zero as you go further down the list:

  1. GitHub Auth - Bake in a public access token, static credentials

  2. AppRole - Bake in a Role ID, long-lived secret or extra automation

  3. Cloud IAM - Self-hosted runners only, more dynamic

  4. OIDC and JWT - The most dynamic option

In this talk, you'll learn how to set up the OIDC provider with Vault, configure dynamic cloud credentials, and use them in GitHub Actions.

Demo Steps

Halfway through the talk, you can watch Ned's demo. Here are the steps covered:

  1. Create Vault secret in K/V secrets engine

  2. Create Vault policy to read the secret

  3. Configure Vault OIDC auth method

  4. Add GitHub Actions secrets for Vault

  5. Configure GitHub Actions workflow

  6. Run GitHub Actions and get the secret value

More resources like this one