Skip to content
Latchkey

OIDC Federation - CI/CD Glossary Definition

OIDC federation lets a CI workflow exchange a short-lived OpenID Connect token for cloud credentials, so a trust relationship (not a stored secret) authorizes access. The cloud verifies the token's issuer and claims before granting a role.

Why it removes secrets

Instead of storing a long-lived cloud key in CI secrets, the provider (for example AWS IAM) trusts GitHub's OIDC issuer and grants a role only to tokens whose sub and repository claims match a configured condition. Nothing static is stored.

AWS example

.github/workflows/ci.yml
- uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::123456789012:role/ci-deploy
    aws-region: us-east-1
permissions:
  id-token: write

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →