OpenID Connect Trust Relationships for Pulumi Cloud
Posted on
We are excited to introduce a powerful addition to Pulumi’s authentication capabilities: OpenID Connect (OIDC) Trust Relationships. This feature makes it easy to integrate Pulumi securely into any ecosystem that supports OIDC. By incorporating OIDC, Pulumi is not only extending its compatibility with a broader range of environments but also reinforcing its commitment to delivering top-tier, secure, and scalable solutions to developers and enterprises alike. Whether you are working within CI/CD pipelines or engaging directly with cloud services, this new feature ensures that your infrastructure management is more secure, efficient, and aligned with industry best practices.
Addressing the “Secret Zero” Challenge
A lot of platforms deal with the “secret zero” challenge, which have a weak link where they require a static, long-lived access token. Managing long-lived access tokens has always been a challenge for developers. Often those secrets are set and forgotten, leaving the team to scramble when it comes time to rotate them. This struggle often leads to those secrets not being rotated very often. This long-term access token becomes a weak point in the overall security posture as well as a hassle for developers. With OIDC Trust Relationships, we’re tackling the “secret zero” challenge head-on by introducing exchanging a secure platform token for a short-term Pulumi token. This enhances security and simplifies token management.
Simplified Authentication
OIDC Trust simplifies the authentication process by allowing you to securely request dynamic credentials for Pulumi using your preferred OIDC provider. OIDC is supported across many popular CI/CD systems, such as GitHub, GitLab, Circle CI, and more. In addition, OIDC can be used from within most cloud providers, such as AWS, Azure, GCP, and more.
Enhanced Security with Policy Controls
When you set up an OIDC Trust in Pulumi Cloud, you can set policies to deny or approve token exchanges based on issuer subject or additional claims. We support wildcard matching to create simple policies that support complex authorization scenarios. Based on your specific policy requirements, these policies can be used to issue a token scoped to an organization, team, or personal access.
Seamless Integration with Pulumi ESC
OIDC Trust seamlessly integrate with Pulumi ESC, providing a comprehensive solution for managing infrastructure and access to secrets and configuration. You can now use your native GitHub app token to exchange it for a short-lived Pulumi Token, and ESC will seamlessly exchange it for a cloud token through an ESC environment.
Demo
In this demo, we are going to use Github Actions to retrieve Pulumi credentials and use them to list all the Pulumi ESC Environments in our organization.
- Go to the OIDC Issuers Page.
- Register Issuer and give a name and (optional) max expiration. Enter the GitHub actions URL
https://token.actions.githubusercontent.com
. - Add a policy to allow OIDC and configure the sub and audience for your organization and repositories. In the demo, we are using:
Aud: urn:pulumi:org:organization
Sub: repo:organization/repo:*
- Create a GitHub action. Here is a sample code. Make sure to substitute your organization in the
pulumi/auth-actions
organization parameter.
name: Pulumi ESC List Environments
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
run_cron_job:
runs-on: ubuntu-20.04
timeout-minutes: 30
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Install pulumi
uses: pulumi/actions@v4
- name: Install deps
run: yarn
- uses: pulumi/auth-actions@v1
with:
organization: organization
requested-token-type: urn:pulumi:token-type:access_token:organization
- name: Login to Pulumi
run: pulumi login
env:
PULUMI_ACCESS_TOKEN: ${{ env.PULUMI_ACCESS_TOKEN }}
- name: List all Pulumi ESC Environments
run: pulumi env ls
- Go to GitHub Actions page, and run the workflow you just created.