Simplify OIDC Trust with the New Pulumi GitHub Action

Posted on

Germán Lena Germán Lena Arun Loganathan Arun Loganathan

We’re excited to announce a new GitHub Action that simplifies the integration of Pulumi’s powerful OpenID Connect (OIDC) Trust feature into your GitHub Actions workflows. This action streamlines secure authentication with Pulumi Cloud, allowing you to leverage GitHub as an identity provider and eliminate the need for long-lived Pulumi access tokens.

A Quick Refresher on Pulumi’s OIDC Trust

The OIDC Trust feature allows you to configure trusted OIDC identity providers, such as GitHub, GitLab, or Google Cloud, within your Pulumi organization. This feature ensures secure and straightforward integration of Pulumi Cloud within any OIDC-compliant system. Once set up, you can securely exchange short-lived OIDC tokens from these providers for temporary Pulumi access tokens. These tokens can then be used to authenticate to Pulumi and perform actions such as deploying your infrastructure using Pulumi IaC, retrieving secrets stored in Pulumi ESC, etc. This approach enhances security by eliminating the need to store long-lived sensitive credentials and aligns with best cloud practices.

Streamlining OIDC Trust with GitHub Actions

Our new GitHub Action makes using OIDC Trust even easier. It automates the secure retrieval of Pulumi access tokens directly within your GitHub workflows, streamlining the authentication process and eliminating manual steps. This automation reduces errors, enhances security by reducing potential token leakage, and improves the maintainability of your workflows, making them cleaner, more readable, and easier to update.

Example Usage

This example demonstrates how to use the Action to authenticate with OIDC and run the pulumi preview command.

name: Pulumi preview
on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  run_cron_job:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: pulumi/auth-actions@v1
        with:
          organization: org-name
          requested-token-type: urn:pulumi:token-type:access_token:organization

      - uses: pulumi/actions@v5
        with:
          command: preview
          stack-name: org-name/stack-name

For more information about the pulumi/auth-actions@v1 Action, check the Pulumi Auth Action documentation.

Conclusion

The new GitHub Action for Pulumi OIDC Trust makes it easier than ever to incorporate secure, short-lived credential management into your GitHub Actions workflows. Embrace the power of OIDC, eliminate the “secret zero” problem, and streamline your Pulumi deployments with ease.

Give the action a try in your next GitHub Actions workflow and let us know what you think! Check out our documentation for more details.

Share this post

Introducing Drift Detection, TTL Stacks, and Scheduled Deployments. Learn More.