Sign in Subscribe

Zero-Trust DevOps: Banish Static Secrets with GitHub Actions and OIDC

Secure your CI/CD pipelines by replacing risky static keys with OpenID Connect (OIDC) federation in GitHub Actions. A guide for CTOs and DevOps engineers.

Zero-Trust DevOps: Banish Static Secrets with GitHub Actions and OIDC
Photo by Sumaid pal Singh Bakshi on Unsplash

In the world of DevOps, secrets management has long been the elephant in the room. For years, the standard practice for connecting CI/CD pipelines (like GitHub Actions) to cloud providers (AWS, Azure, GCP) involved generating long-lived access keys and storing them as static secrets. While functional, this approach is a ticking time bomb for security.

Static keys get leaked. They are often over-privileged. Worst of all, they are rarely rotated as often as they should be, leading to "secret sprawl" across your infrastructure. If a developer's laptop is compromised or a repo is accidentally made public, those keys grant attackers an open door to your cloud environment.

Enter OpenID Connect (OIDC) Federation. This modern authentication standard allows us to adopt a Zero-Trust approach to CI/CD. By eliminating the need for hardcoded credentials, we can create pipelines that are more secure, compliant, and easier to manage. In this post, we will explore how OIDC works and how you can implement it to harden your software supply chain.

The Security Debt of Long-Lived Credentials

a sign on a brick wall that says until debt tears apart
Photo by Manuel Palmeira on Unsplash

Before diving into the solution, it is crucial for CTOs and Lead Developers to understand the specific risks associated with the traditional method. When you create an IAM User in AWS or a Service Principal in Azure and paste those credentials into GitHub Secrets, you are effectively creating a permanent bridge into your infrastructure.

The operational overhead of this model is deceptively high:

  • Key Rotation Fatigue: Security best practices dictate rotating keys every 90 days. In reality, most teams forget until a deployment fails, or worse, they never rotate them at all.
  • Lack of Granularity: Often, a single set of keys is shared across multiple repositories or workflows, violating the principle of least privilege.
  • Revocation Difficulty: If a key is compromised, identifying exactly which services rely on it before revoking it can be a nightmare, leading to potential downtime.
"Static secrets are the single largest point of failure in modern CI/CD pipelines. Moving to ephemeral credentials isn't just a security upgrade; it's an operational necessity."

Zero-Trust architecture demands that we verify explicitly and assume breach. Static secrets assume trust based on possession of a key. OIDC changes this by verifying identity.

How OIDC Federation Works: The Handshake

a close up of two people shaking hands
Photo by David Trinks on Unsplash

OpenID Connect allows GitHub Actions to authenticate with your cloud provider without ever storing a password or access key. Instead of a physical key, think of it as a hotel key card that works only for a specific room, for a specific duration, and then becomes useless.

Here is the technical workflow:

  1. The Trigger: Your GitHub Action workflow starts. GitHub's OIDC provider generates a JSON Web Token (JWT) signed by GitHub.
  2. The Exchange: The workflow sends this JWT to your cloud provider (e.g., AWS).
  3. The Verification: The cloud provider validates the JWT signature against GitHub's public keys. It also checks the claims inside the token (e.g., "Does this request come from the main branch of the nohatek/backend-api repo?").
  4. The Access: If the claims match the Trust Policy you defined, the cloud provider issues a short-lived, temporary access token scoped specifically to that role.

This process is entirely ephemeral. There are no secrets to copy-paste, no keys to rotate, and if the token is intercepted, it expires automatically within a short window (usually one hour).

Practical Implementation: AWS & GitHub Actions

a screenshot of a computer screen
Photo by Emmanuel Edward on Unsplash

Let’s look at a practical example of configuring this for Amazon Web Services (AWS), though the concepts apply equally to Azure and Google Cloud Platform.

Step 1: Create the Identity Provider in AWS
You first need to tell AWS to trust GitHub as an issuer. You can do this via the IAM console or Terraform. The provider URL is https://token.actions.githubusercontent.com.

Step 2: Create an IAM Role with a Trust Policy
This is the critical security step. You aren't just trusting GitHub; you are trusting a specific repository and branch. Your Trust Policy should look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::YOUR_ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
        },
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:YourOrg/YourRepo:ref:refs/heads/main"
        }
      }
    }
  ]
}

Step 3: Update Your GitHub Workflow
Finally, update your YAML file. You need to request permission to write to the ID token, and then use the configure-aws-credentials action.

permissions:
  id-token: write   # This is required for requesting the JWT
  contents: read    # This is required for actions/checkout

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Git checkout
        uses: actions/checkout@v3

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::YOUR_ACCOUNT_ID:role/YourNewOIDCRole
          aws-region: us-east-1

      - name: Deploy to S3
        run: aws s3 sync ./build s3://my-bucket

Notice what is missing? No Access Key ID. No Secret Access Key. The authentication happens automatically in the background.

Strategic Benefits for the Enterprise

man writing on white board
Photo by Campaign Creators on Unsplash

Adopting OIDC isn't just a task for the engineering team; it provides significant strategic value for the organization.

Compliance and Auditing
For companies seeking SOC2, ISO 27001, or HIPAA compliance, static secrets are a major friction point. OIDC provides a clear audit trail. CloudTrail (or equivalent logs) will show exactly which GitHub repository and workflow triggered an action, rather than just showing a generic user name.

Reduced Operational Friction
We have seen countless deployment failures caused by expired credentials. By removing the need for manual rotation, you increase the reliability of your deployment pipeline. Your DevOps team spends less time managing keys and more time building infrastructure.

Fine-Grained Access Control
With OIDC, you can lock down deployments to specific environments. You can create a policy where the main branch can deploy to Production, but the dev branch can only deploy to Staging, enforced strictly by the cloud provider's IAM policy, not just by GitHub repository settings.

Moving to Zero-Trust DevOps with OIDC Federation is one of the highest-impact security improvements you can make to your development lifecycle. It eliminates an entire class of security vulnerabilities (credential theft) while simultaneously simplifying operations.

At Nohatek, we specialize in modernizing infrastructure and securing software supply chains. If you are looking to audit your current DevOps security posture or need assistance migrating to a keyless architecture, our team is ready to help you build a more secure future.