Death to static credentials! Watch this demo on how to use the OIDC Vault provider for dynamic credentials in a GitHub Actions workflows.
Storing static credentials in GitHub is fraught with peril. Static credentials can expire, be leaked, and need to be updated manually. Instead of using static credentials, why not leverage the OIDC provider for HashiCorp Vault to dynamically generate short-lived credentials for your GitHub Actions workflow?
Dynamic secrets are the solution to all of these risks associated with static secrets, but secure introduction of the first secret into Vault to start generating dynamic secrets — known as "secret zero" — is where you risk falling back into the dangers of static secrets.
In this talk by Ned Bellavance (i.e. Ned in the Cloud), you'll learn about this problem in the context of using HashiCorp Vault for secrets management and GitHub Actions for your deployment workflow.
In this context, Ned describes four different methods for the secure introduction of secret zero. The methods, listed here, get progressively more dynamic — with less chance of a long-lived or overly broad permissioned secret zero as you go further down the list:
GitHub Auth - Bake in a public access token, static credentials
AppRole - Bake in a Role ID, long-lived secret or extra automation
Cloud IAM - Self-hosted runners only, more dynamic
OIDC and JWT - The most dynamic option
In this talk, you'll learn how to set up the OIDC provider with Vault, configure dynamic cloud credentials, and use them in GitHub Actions.
Halfway through the talk, you can watch Ned's demo. Here are the steps covered:
Create Vault secret in K/V secrets engine
Create Vault policy to read the secret
Configure Vault OIDC auth method
Add GitHub Actions secrets for Vault
Configure GitHub Actions workflow
Run GitHub Actions and get the secret value