Provide OIDC tokens to workflows
Many cloud compute providers are adding support for OIDC for supporting cross-vendor workloads and I'd love to see CircleCI join in. OIDC enables federation of credentials/identity from one provider to another. Rather than require that a user supply static credentials, OIDC allows them to exchange a short-lived credential injected by the platform with the remote service. That credential embeds information about the identity of a workload. In git, that identity information might include the organization/repo name and the branch/ref.
This makes it easy to author fine grained access policies for specific repos and ensures that long-lived credentials aren't exposed to CI workloads.
OIDC is supported by GitHub Actions and GitLab CI/CD:
marked this post as
We have released OIDC you can learn more about it here https://circleci.com/docs/2.0/openid-connect-tokens/.
This work is in progress and I'd like to say releasing to everyone early March.
I'm going to move this as I'm realizing it's in the wrong category. Someone who's able to do so, please close.
Ben Drucker: No worries, I merged it into the other one so it's captured. Thank you for the feedback - as our PM said I believe this is coming very soon!
Liya Ai: We look forward to this (we are considering a full migration to GH Actions since we also use that, and we've implemented OIDC there, so the sooner OIDC happens on CircleCI, the better!)
FWIW, this loosely relates to the newly announced IP range feature: https://circleci.com/blog/ip-ranges-better-security/
However, I want to address the security issues directly (long lived credentials, potentially shared via contexts) rather than introduce an additional layer of security (network perimeter) to help mitigate authentication weaknesses.