Provide OIDC tokens to workflows
Many cloud compute providers are adding support for OIDC for supporting cross-vendor workloads and I'd love to see CircleCI join in. OIDC enables federation of credentials/identity from one provider to another. Rather than require that a user supply static credentials, OIDC allows them to exchange a short-lived credential injected by the platform with the remote service. That credential embeds information about the identity of a workload. In git, that identity information might include the organization/repo name and the branch/ref.
This makes it easy to author fine grained access policies for specific repos and ensures that long-lived credentials aren't exposed to CI workloads.
OIDC is supported by GitHub Actions and GitLab CI/CD:
marked this post as