It could probably also be made to work with Kubernetes authentication and authorization. That means using the SDK, CLIs, Terraform and other similar tooling. In short, the token and identity that GitHub Actions provides is enough to deploy to GCP or AWS when configured in this way.
Create and configure a Workload Identity Provider for GitHub.Upload the JSON service account key to a GitHub secret.Export the long-lived JSON service account key.Create a Google Cloud service account and grant IAM permissions.Here's what the author of the GCP integration said: The less of this we do, the lower the risk of something going wrong. On the other hand, if I left and deactived my account, the integration would stop working.Įven when API tokens and service accounts decouple identity from access tokens, there's still the need to share, store and rotate these secrets which presents a risk. If I were to use a PAT in an integration, then I left the company, my access token would still be in use, and my identity would be tied to that. These tokens are equivalent to us taking actions, and most of the time have very coarse-level permissions, i.e. We've all probably created a GitHub Personal Access Token PAT) once or twice in our time.
Why could credential sharing be an anti-pattern?įor some systems, credentials are tied to a human identity. Kelsey was probably using GCP's Workload Identity Federation technology.ĪWS has a similar technology with its IAM (Identity Access Management), IdP (Identity Provider) and Secure Token Service (STS). He explains how serverless platforms play well with Kubernetes, integrating with managed cloud services. This video is definitely worth a watch, even if you were there live. The action of forming states or organizations into a single group with centralized control.Ĭentralised control within a single group sounds useful and just like Kelsey showed us GCP and AWS working in harmony, later on I'll show you GitHub Actions deploying to OpenFaaS without any shared credentials. The Oxford dictionary describes "federation" as: His demo was different because there was a level of trust between the two sides, fedration if you will. Normally that would mean producing a number of secrets and configuring them on either side. I rememeber seeing a keynote in 2018 at KubeCon where Kelsey Hightower demoed an integration between two services with one of them running on AWS and the other running on GCP. I'll give you a bit of context, then show you the AWS and GCP story, followed by how I integrated this with OpenFaaS so that a set list of users on GitHub could deploy to my OpenFaaS cluster without having to give them any credentials. It allows an action to mint an OpenID Connect (OIDC) token, which can then be used to deploy artifacts into other systems and clouds. There's been some talk on Twitter recently about a new feature emerging on GitHub Actions.
0 kommentar(er)
