Automated pipelines without secrets

Automated pipelines for CI/CD etc. are an crucial and integrated part of development. Quite often we end up with some secret for authentication against Cloud Provider or similar for deployments. Those secrets expose a risk and needs to be properly secured and avoid leaking, luckily most CI systems have some kind of mechanics to secure variables but often certain users can still access them, other ways is using some kind of Vault. Furthermore those secrets often used to be updated as they expire, and it is an increased risk if the secrets don’t expire.

OIDC to the rescue

Luckily, OpenID Connect can actually help us. Yes the approach that we also use to allow login with social login or Azure Entra ID (formerly known as Azure Active Directory).

Generic authentication flow with OIDC

OIDC is a really strong approach as it allows Single-Sign-On and simplifies authentication for users as it reduce the number of credentials they needs to know and it is only on the trusted provider’s pages where the credentials should be entered and not anywhere else.

OpenID Connect in pipelines

Similar approach is actually possible with (some) pipelines and allows the build agents/runner to authenticate with a cloud provider based on a JWT provided by the build system

Pipeline authentication flow with OpenID Connect

The trust between the Cloud Provider and the CI system needs to be established, often by registering a client and based on that client registration and the CI provided JWT you can authenticate.

This approach have been available on GitHub1 for a while, now it is also available on Azure2. Vercel tell that it is in their roadmap backlog, but have not yet committed to implement it.

I have written a more thorough walkthrough of the actual steps for using GitHub Actions and Azure without secrets