In our last article<\/a>, we discussed how a developer-first, contextual approach to secrets management enables a security program to meet the speed and scale of modern businesses. In this article, we explain how we accomplished this by leveraging GitHub\u2019s OpenID Connect (OIDC) support for authentication to fine-grained Hashicorp Vault roles, resulting in a \u201ccredentials-free\u201d experience for development teams in our deployment pipelines. For organizations running CI\/CD through GitHub Actions and managing their secrets with HashiCorp Vault, we\u2019ve found a process that offers a streamlined experience for developers while enabling simplified orchestration and management for security.<\/p>\n In this article, we step through the technical implementation we employed between GitHub and Vault to support this OIDC flow for secrets consumption. We cover both the programmatic components of this secrets management pattern and the engineering details other organizations may wish to adapt to create their own versions of this program. At the end of the article, we share a Terraform module we have open sourced to help any organization to get up and running with a similar initiative.<\/p>\n A common concern with many secrets management efforts is the \u201csecret zero\u201d problem. An organization stores all of its secrets in some kind of protected enclave, such as HashiCorp Vault or 1Password. The organization needs to restrict access to the secrets and to segment which secrets each group can access. Therefore, roles are created and authentication to those roles are distributed to appropriate users, teams, and systems.<\/p>\n But where can those<\/em> authentication credentials be safely stored? Not in the secret store, as these credentials are a precondition to getting access. Could they be stored in a separate protected enclave? But how is access to that<\/em> system protected? It\u2019s turtles all the way down<\/a>. This first set of login credentials used to gain access to the secrets store is often denoted \u201csecret zero.\u201d<\/p>\n One common solution to the \u201csecret zero\u201d problem is to introduce another<\/em> secret enclave that contains an already trusted entity at the point where access to the secrets store is needed. For example, if a company\u2019s secrets are stored in HashiCorp Vault, static long-lived credentials to Vault (e.g. userpass, AppRole) can be generated and stored in GitHub as encrypted secrets<\/a>. A repository is granted access to these secrets as a property of the access control settings set on the repository or organization available in GitHub. Depending on the operating environment and the company in question, this may be sufficient to allow a GitHub Action workflow secure access to secrets in Vault.<\/p>\n For many organizations, however, this approach necessitates implementing complex management procedures. An organization should be able to produce the following information about their secrets management program:<\/p>\n A mapping of which authentication roles are used by which repositories<\/p>\n<\/li>\n The secrets accessible to each team\u2019s projects<\/p>\n<\/li>\n Whether a team\u2019s access is too broad or too restrictive<\/p>\n<\/li>\n Demonstrate adherence to specific compliance requirements<\/p>\n<\/li>\n<\/ul>\n GitHub secrets do not currently provide capabilities to enable a company to produce this information. A Vault role with static credentials may be created for a particular use case, but an organization cannot natively confirm it has not been stored in a second repository\u2019s secrets and leveraged for an unintended use case.<\/p>\n Moreover, these credentials are all static and long-lived, posing a risk to the organization if the deployment workflow is compromised. Stolen credentials continue to be a significant factor in breach incidents. All of a sudden an organization must build a sprawling asset management system for its secret store login credentials that is likely perpetually out of date, build a homegrown credential rotation and auditing lifecycle, or entirely give up on understanding these relationships and accept the risk this lack of visibility poses. This approach is certainly better than plaintext exposure! But GitHub OIDC offers a better solution.<\/p>\n GitHub launched OIDC support<\/a> within GitHub Actions in October 2021<\/a> to enable cloud deployment workflows to authenticate to their services without needing to handle credentials inside the GitHub repo. From their roadmap issue<\/a>: \u201cOpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub.\u201d By using OIDC authentication to Vault, we remove the need for engineers to manage a root credential pair and solve the \u201csecret zero\u201d problem for these workloads!<\/p>\n Discussing OAuth2 and OpenID Connect are outside the scope of this article, but this introduction to OAuth and OIDC<\/a> from Okta serves as a helpful visual explainer. At a high level, OIDC is a way to authenticate a user or service to a third party identity provider (IdP) using a JSON Web Token (JWT). Instead of managing login credentials, the token exposes parameters (known as claims<\/a>) which we can bind a Vault role against. When GitHub presents a token containing the necessary combination of claims, Vault will return an auth token for a given Vault role.<\/p>\n Beyond solving the \u201csecret zero\u201d problem, using GitHub OIDC for authentication provides greater flexibility to fine-tune least-privilege access to roles. For example, beyond simply delineating between repositories inside an organization, GitHub OIDC auth allows us to bind specific workflows inside a repository to different<\/em> Vault roles in an auditable, consistent manner. Suddenly, we can not only definitively answer the question \u201cWhat Vault roles are used by which repositories?\u201d through native properties of our authentication configuration, but we are capable of asking – and answering – the more granular \u201cin what scenarios<\/em> can a repository access a Vault role?\u201d<\/p>\n Beyond the question, \u201cwhat secrets can team X\u2019s project access?\u201d we can enforce<\/em> what different sets of secrets team X\u2019s project can access during deployments, CI testing, and other use cases as a native property of our authentication scheme. And we can accomplish all of this without requiring developers to handle credentials to Vault themselves, without having to deal with static credential rotation lifecycles or exposure, with credential TTLs in the seconds or minutes, and with complete auditability designed into the configuration-as-code approach.<\/p>\n As we discussed in our previous post on developer-first security<\/a>, a developer-first security approach integrates into the organization\u2019s existing development workflows. The first step is to document the workflows used by development teams. This is unique for every organization, but there are general patterns we can discuss. For DigitalOcean, we began with the following five use cases:<\/p>\n Testing pull requests<\/strong> – A continuous integration (CI) workflow testing pull requests in a repository needs to access nonproduction secrets.<\/p>\n<\/li>\n Continuous deployment (CD) triggers<\/strong> – Pushes to the main branch trigger a continuous deployment workflow that builds a new version of the application and deploys it to production. This workflow needs access to production secrets.<\/p>\n<\/li>\n Complex, multi-environment workflows<\/strong> – A single workflow that deploys first to a staging environment, verifies correct functionality, and then deploys the application to production should have access to staging and production secrets at each respective point inside the workflow, but should not be able to access both staging and production secrets at the same time.<\/p>\n<\/li>\n Supports monorepos<\/strong> – Multiple teams contributing to a monorepo can define individual Reusable & shareable workflows<\/strong> – An internal reusable workflow, such as a set of tasks encapsulating publishing artifacts to Artifactory, can access its needed secrets when called from any repository across multiple GitHub organizations. Consumers invoking the workflow do not need to configure anything unique for access to secrets.<\/p>\n<\/li>\n<\/ol>\n The following security considerations apply to each developer use case:<\/p>\n Credentials must be short-lived. Compromise of any workflow must present an extremely minimal window of opportunity for a malicious entity to exploit these credentials.<\/p>\n<\/li>\n Secrets consumption must be fully auditable – we must be able to determine what repository accessed what Vault role (and therefore consumed what secrets) at some specific time. We must also be able to determine what secrets could<\/em> be consumed by a repository or workflow at any given time.<\/p>\n<\/li>\n<\/ol>\n Let\u2019s step through how the OIDC configuration can be bound to Vault and how to provide the fine-grained customizability to match these developer and security use cases. These code examples will use Terraform.<\/p>\n Enabling a GitHub OIDC configuration on Vault\u2019s end requires creating a new JWT auth backend<\/a> pointing to GitHub.com<\/a> or to a GitHub Enterprise Server instance. GitHub has documentation on how to construct the URL<\/a> for a GitHub Enterprise Server.<\/p>\n At this point, Vault and GitHub are configured to talk to each other. What\u2019s left is defining each use case as its own Vault role configuration on this authentication backend. This is the meat of the configuration and what to do depends on the needs of the developers in your organization.<\/p>\n Organizations configuring OIDC authentication from github.com<\/a> should take an additional configuration step: switch to a unique token URL<\/a>. Setting the To prevent this, GitHub has recently added an API-only configuration<\/a> for organizations to customize your enterprise\u2019s token URL to This does not apply to GitHub Enterprise Server accounts, as the self-hosted instance is already unique to your enterprise.<\/p>\n The claims provided<\/a> in GitHub\u2019s JWT define our authentication configuration capabilities. We can bind any combination of these key-value pairs to a Vault role, thereby requiring all of that data to exist in a GitHub workflow\u2019s JWT before granting access to a Vault role and its underlying policies. The following is an example GitHub JWT displaying the claims contained in a token:<\/p>\n The primary property we use at DigitalOcean is the bound subject More commonly, however, we want finer-grained delineation, such as separating pull request workflows from a deployment workflow triggered from the main branch. For this, we can create two separate roles on Vault, each granting access to a respective development or production policy. The subject claim enables us to enforce these separate use cases:<\/p>\n Workflows invoked inside of a pull request that attempt to receive an authentication token for the \u201cmyrepo-main\u201d Vault role will fail, as the OIDC properties in the JWT will not match the preconfigured expectation in the There are a number of ways<\/a> to filter the subject claim. The options boil down to:<\/p>\n some specific branch on the repository<\/p>\n<\/li>\n some specific tag on the repository<\/p>\n<\/li>\n some wildcard pattern for multiple branches or multiple tags (e.g. some GitHub Environment<\/a> (or a wildcard pattern for multiple GitHub Environments, although we have not encountered a use case for this)<\/p>\n<\/li>\n<\/ol>\n These five configurations give us almost all of the tools we need to solve the developer use cases we previously identified in this article. Combining other claims in the JWT with the bound subject ( If the expected bound claims match a user\u2019s workflow for the requested Vault role, they will be granted a short-lived token. Because we set the Let\u2019s see how an OIDC configuration can enable each of the five developer use cases we listed above.<\/p>\n Example: A continuous integration (CI) workflow testing pull requests in a repository needs to access nonproduction secrets.<\/em><\/p>\n This can be enforced via the Current Alternatives Require Complex Management<\/a><\/h3>\n
\n
Fine-Grained CI\/CD Roles<\/a><\/h3>\n
\n
.github\/workflow\/<\/code> files inside the same repository and get access to their unique credentials that other teams and workflows inside the monorepo cannot access.<\/p>\n<\/li>\n\n
resource \"vault_jwt_auth_backend\"<\/span><\/span> \"github_oidc\"<\/span> {<\/span>\n\n description<\/span> =<\/span> \"Accept OIDC authentication from GitHub Action workflows\"<\/span>\n\n path<\/span> =<\/span> \"gha\"<\/span>\n\n oidc_discovery_url<\/span> =<\/span> \"https:\/\/token.actions.githubusercontent.com\"<\/span>\n\n bound_issuer<\/span> =<\/span> \"https:\/\/token.actions.githubusercontent.com\"<\/span>\n\n}<\/span>\n<\/code><\/pre>\nbound_issuer<\/code> and oidc_discovery_url<\/code> to https:\/\/token.actions.githubusercontent.com<\/code> grants the entirety of public GitHub the possibility<\/em> of authenticating to your Vault server. If you accidentally misconfigure the bound claims that we describe below, you could be exposing your Vault server to other users on github.com<\/a>.<\/p>\nhttps:\/\/token.actions.githubusercontent.com\/<enterpriseSlug><\/code>, where enterpriseSlug<\/code> refers to the value that was set<\/a> when your enterprise cloud account was created. We strongly recommend any enterprise cloud organizations using GitHub OIDC enable this setting. This way, no matter how the bound claims are configured below, it is not possible for other users or enterprises on github.com<\/a> to get a valid OIDC token to your Vault server. Both the oidc_discovery_url<\/code> and bound_issuer<\/code> should use this new token URL.<\/p>\nresource \"vault_jwt_auth_backend\"<\/span><\/span> \"github_oidc\"<\/span> {<\/span>\n\n description<\/span> =<\/span> \"Accept OIDC authentication from GitHub Action workflows\"<\/span>\n\n path<\/span> =<\/span> \"gha\"<\/span>\n\n oidc_discovery_url<\/span> =<\/span> \"https:\/\/token.actions.githubusercontent.com\/mycompany\"<\/span>\n\n bound_issuer<\/span> =<\/span> \"https:\/\/token.actions.githubusercontent.com\/mycompany\"<\/span>\n\n}<\/span>\n<\/code><\/pre>\n![\"security](\"https:\/\/doimages.nyc3.cdn.digitaloceanspaces.com\/002Blog\/fine-grained-security-blog-image1.jpg\")
<\/p>\n(sub)<\/code> claim, although simple use cases can use alternative JWT properties. For example, to allow one repository to access a certain Vault role while preventing other repositories from authenticating, we can bind the repository<\/code> claim to a Vault role instead.<\/p>\n\nresource \"vault_jwt_auth_backend_role\"<\/span><\/span> \"github_oidc_role\"<\/span> {<\/span>\n\n role_name<\/span> =<\/span> \"myrepo-myrole\"<\/span>\n\n bound_claims<\/span> =<\/span> {<\/span> repository<\/span> =<\/span> \"digitalocean\/myrepo\"<\/span> }<\/span>\n\n \n\n token_policies<\/span> =<\/span> [<\/span>\"default\"<\/span>, \"mypolicy\"<\/span>]<\/span>\n\n bound_audiences<\/span> =<\/span> [<\/span>\"https:\/\/github.com\/digitalocean\"<\/span>]<\/span>\n\n role_type<\/span> =<\/span> \"jwt\"<\/span>\n\n backend<\/span> =<\/span> \"gha\"<\/span>\n\n user_claim<\/span> =<\/span> \"actor\"<\/span>\n\n token_type<\/span> =<\/span> \"batch\"<\/span>\n\n token_ttl<\/span> =<\/span> 300<\/span> \n\n}<\/span>\n<\/code><\/pre>\n\nresource \"vault_jwt_auth_backend_role\"<\/span><\/span> \"only_prs\"<\/span> {<\/span>\n\n role_name<\/span> =<\/span> \"myrepo-prs\"<\/span>\n\n bound_claims<\/span> =<\/span> {<\/span> sub<\/span> =<\/span> \"repo:digitalocean\/myrepo:pull_request\"<\/span> }<\/span>\n\n \n\n}<\/span>\n\n\n\nresource \"vault_jwt_auth_backend_role\"<\/span><\/span> \"only_main_branch\"<\/span> {<\/span>\n\n role-name<\/span> =<\/span> \"myrepo-main\"<\/span>\n\n bound_claims<\/span> =<\/span> {<\/span> sub<\/span> =<\/span> \"repo:digitalocean\/myrepo:ref:refs\/heads\/main\"<\/span> }<\/span>\n\n \n\n}<\/span>\n<\/code><\/pre>\nbound_claims<\/code>. Workflows from any event trigger<\/a> that is not<\/em> a pull_request<\/code>, such as a push<\/code>, will fail to authenticate to the \u201cmyrepo-prs\u201d Vault role.<\/p>\n\n
pull_request<\/code> (but no other) workflow triggers<\/p>\n<\/li>\nref:refs\/tags\/*<\/code>)<\/p>\n<\/li>\nsub<\/code>) give us everything we need. Crucially, the method developers use to consume secrets remains consistent across all of these use cases. HashiCorp maintains a GitHub Action<\/a> for consumption of secrets in Action workflows. A developer includes the name of their desired role and what secrets they wish to access:<\/p>\n-<\/span> uses<\/span>:<\/span> hashicorp\/vault-<\/span>action@v2\n\n with<\/span>:<\/span>\n\n role<\/span>:<\/span> \"myrepo-prs\"<\/span>\n\n secrets<\/span>:<\/span> |<\/span>\n\n secrets\/data\/their\/chosen\/secrets mysecret |<\/span> MY_SECRET ;\n\n \n\n url<\/span>:<\/span> \"https:\/\/my-vault.company.com:8200\"<\/span>\n\n caCertificate<\/span>:<\/span> \"optional yet likely for an enterprise vault configuration\"<\/span>\n\n method<\/span>:<\/span> \"jwt\"<\/span>\n\n path<\/span>:<\/span> \"gha\"<\/span>\n<\/code><\/pre>\ntoken_ttl<\/code> on the Vault role configuration for 5 minutes, the Vault token granted to each workflow will expire after that time. This gives a malicious entity an extremely small window of time to exploit a valid auth token while providing plenty of time for a legitimate developer to retrieve the secrets their workflow requires. In 80% of cases we\u2019ve found that a 60 second TTL is plenty of time. We recently bumped our default TTL from 60 seconds to 5 minutes to account for those other edge cases inside our organization. We will grant certain workflows up to a 30 minute TTL, but we have yet to find a use case that requires a Vault token for longer.<\/p>\nTesting Pull Requests<\/a><\/h3>\n
pull_request<\/code> bound subject mentioned previously. A complete example is:<\/p>\n\nresource \"vault_jwt_auth_backend_role\"<\/span><\/span> \"myrepo-nonprod-prs\"<\/span> {<\/span>\n\n role_name<\/span> =<\/span> \"myrepo-nonprod-prs\"<\/span>\n\n bound_claims<\/span> =<\/span> {<\/span> sub<\/span> =<\/span> \"repo:digitalocean\/myrepo:pull_request\"<\/span> }<\/span>\n\n \n\n