Provide OIDC tokens to workflows
complete
B
Ben Drucker
Many cloud compute providers are adding support for OIDC for supporting cross-vendor workloads and I'd love to see CircleCI join in. OIDC enables federation of credentials/identity from one provider to another. Rather than require that a user supply static credentials, OIDC allows them to exchange a short-lived credential injected by the platform with the remote service. That credential embeds information about the identity of a workload. In git, that identity information might include the organization/repo name and the branch/ref.
This makes it easy to author fine grained access policies for specific repos and ensures that long-lived credentials aren't exposed to CI workloads.
OIDC is supported by GitHub Actions and GitLab CI/CD:
Nathan Fish
complete
Nathan Fish
We have released OIDC you can learn more about it here https://circleci.com/docs/2.0/openid-connect-tokens/.
Nathan Fish
This work is in progress and I'd like to say releasing to everyone early March.
B
Ben Drucker
I'm going to move this as I'm realizing it's in the wrong category. Someone who's able to do so, please close.
Liya Ai
Ben Drucker: No worries, I merged it into the other one so it's captured. Thank you for the feedback - as our PM said I believe this is coming very soon!
K
Kevin Tham
Liya Ai: We look forward to this (we are considering a full migration to GH Actions since we also use that, and we've implemented OIDC there, so the sooner OIDC happens on CircleCI, the better!)
B
Ben Drucker
FWIW, this loosely relates to the newly announced IP range feature: https://circleci.com/blog/ip-ranges-better-security/
However, I want to address the security issues directly (long lived credentials, potentially shared via contexts) rather than introduce an additional layer of security (network perimeter) to help mitigate authentication weaknesses.