OIDC Federation - CI/CD Glossary Definition
OIDC federation lets a CI workflow exchange a short-lived OpenID Connect token for cloud credentials, so a trust relationship (not a stored secret) authorizes access. The cloud verifies the token's issuer and claims before granting a role.
Why it removes secrets
Instead of storing a long-lived cloud key in CI secrets, the provider (for example AWS IAM) trusts GitHub's OIDC issuer and grants a role only to tokens whose sub and repository claims match a configured condition. Nothing static is stored.
AWS example
.github/workflows/ci.yml
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/ci-deploy
aws-region: us-east-1
permissions:
id-token: writeRelated guides
Workload Identity - CI/CD Glossary DefinitionWorkload Identity: Workload identity is the broad pattern of giving a running workload (a CI job, a pod, a fu…
Secret Rotation - CI/CD Glossary DefinitionSecret Rotation: Secret rotation is the practice of replacing credentials (tokens, keys, passwords) on a regu…
Least Privilege - CI/CD Glossary DefinitionLeast Privilege: Least privilege is the principle that an identity (user, service, or CI job) should hold onl…