45. What’s the magic of OIDC identity providers?
AWS Bites14 Heinä 2022

45. What’s the magic of OIDC identity providers?

If you are thinking of using an external CICD tool to deploy to AWS you are probably wondering how to securely connect your pipelines to your AWS account.

You could create a user for your CICD tool of choice and copy some hard coded credentials into it, but, let’s face it: this doesn’t feel like the right - or at least the most secure - approach!

In the previous episode we discussed how AWS and GitHub solved this problem by using OIDC identity providers and this seems to be a good solution to the problem.

In this episode of AWS Bites we will try to demystify the secrets of OIDC identity providers and explain how they work and what’s the trust model between AWS and an OIDC provider like GitHub actions. We will also explain all the steps required to integrate AWS with GitHub, how JWT works in this particular scenario and other use cases where you could use OIDC providers.

In this episode, we mentioned the following resources:

- GitHub docs explaining how to integrate with AWS as an OIDC provider: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

- Article “What’s in a JWT” https://loige.co/whats-in-a-jwt

- jwtinfo, CLI tool to inspect JWT: https://github.com/lmammino/jwtinfo

- AWS action to assume a role from a GitHub Pipeline: https://github.com/aws-actions/configure-aws-credentials#assuming-a-role

- Great post by Elias Brange detailing how to setup GitHub OIDC integration for AWS: https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/

- Previous episode on why you should consider GitHub Actions rather than AWS CodePipeline: https://awsbites.com/44-do-you-use-codepipeline-or-github-actions/

This episode is also available on YouTube: https://www.youtube.com/AWSBites

You can listen to AWS Bites wherever you get your podcasts. See https://awsbites.com for all the links.

Do you have any AWS questions you would like us to address?

Connect with us on Twitter:
- https://twitter.com/eoins
- https://twitter.com/loige


Jaksot(157)

145. We Tried Amazon DSQL So You Don’t Have To (But You Might Want To)

145. We Tried Amazon DSQL So You Don’t Have To (But You Might Want To)

Amazon Aurora DSQL promises to bring a truly serverless experience to SQL databases. But does it actually deliver? In this episode of AWS Bites, we put Aurora DSQL to the test. We explore what makes i...

26 Kesä 202528min

144. Lambda Billing Changes, Cold Start Costs, and Log Savings: What You Need to Know

144. Lambda Billing Changes, Cold Start Costs, and Log Savings: What You Need to Know

Cost is always top of mind when building in the cloud, and recently AWS has introduced some changes worth paying attention to. In this episode of AWS Bites, we explore a shift that caught many by surp...

22 Touko 202513min

143. Is App Runner better than Fargate?

143. Is App Runner better than Fargate?

Picture this. You’ve got a web app built with Rust and Solid.js. It started life running on a dusty on-prem server, but now it's time to move it to the cloud. The clock is ticking. You could take the ...

8 Touko 202542min

142. Escape from S3

142. Escape from S3

We discuss common use cases and challenges for copying data between S3 buckets and S3-compatible object storage services. We share our experience building an open source Node.js CLI tool called S3-Mig...

3 Huhti 202530min

141. Step Functions with JSONata and Variables

141. Step Functions with JSONata and Variables

In this episode, we provide an overview of AWS Step Functions and dive deep into the powerful new JSONata and variables features. We explain how JSONata allows complex JSON transformations without cus...

21 Maalis 202515min

140. DuckDB Meets AWS: A Match Made in Cloud

140. DuckDB Meets AWS: A Match Made in Cloud

In this episode, we explore DuckDB, an open-source analytical database known for its speed and simplicity. Discover how DuckDB stands out in various applications and compare it to other tools like SQL...

21 Helmi 202517min

139. Building Great APIs with Powertools

139. Building Great APIs with Powertools

In this episode, we discuss using AWS Lambda Powertools for Python to build serverless REST APIs with AWS Lambda. We cover the benefits of using Powertools for routing, validation, OpenAPI support, an...

19 Helmi 202524min

138. How Do You Become A Cloud Architect?

138. How Do You Become A Cloud Architect?

Ready to take your tech career to the cloud and build those awe-inspiring systems you see? Then you're in the right place. This episode of AWS Bites is your blueprint for becoming a successful cloud a...

10 Tammi 202539min