Skip to content

OIDC in CI

Spicy — senior dev territoryCI/CD & DevOps

ELI5 — The Vibe Check

OIDC in CI means your CI pipeline proves its identity to cloud providers without storing long-lived secrets. GitHub Actions says 'I am workflow X in repo Y' and AWS says 'cool, here's temporary credentials.' No more API keys sitting in secrets. It's like showing your work badge instead of carrying a copy of the office key.

Real Talk

OpenID Connect integration in CI/CD allows workflows to obtain short-lived credentials from cloud providers by exchanging a signed JWT token. The CI platform acts as an identity provider, and cloud IAM trusts it via federation. Eliminates static credentials, reducing secret rotation burden and blast radius.

Show Me The Code

jobs:
  deploy:
    permissions:
      id-token: write
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123:role/deploy
          aws-region: us-east-1

When You'll Hear This

"We switched to OIDC — no more AWS access keys in GitHub secrets." / "OIDC tokens are short-lived and scoped to the specific workflow run."

Related Terms

GitHub Actions

GitHub Actions is CI/CD built right into GitHub. Push code, run tests, deploy — all from YAML files in your repo. No separate CI server needed.

beginnerCI/CD & DevOps

Secret Scanning

Secret Scanning checks your code for accidentally committed passwords, API keys, and tokens. Pushed your AWS key to GitHub?

beginnerSecurity

Zero Trust

Zero Trust means 'never trust, always verify.' Even if you're inside the company network, you still have to prove who you are for every request.

intermediateSecurity
Back to Browse Random Term

Made with passive-aggressive love by manoga.digital. Powered by Claude.