Skip to main content
  1. Docs
  2. Administration
  3. Access & Identity
  4. OIDC Issuers
  5. GitHub

Configuring OpenID Connect for GitHub

    This document outlines the steps required to configure Pulumi Cloud to accept GitHub id_tokens and exchange them for organization access tokens.

    This guide walks through the Pulumi Cloud UI. You can also configure OIDC Issuers via the REST API or the OidcIssuer resource in the Pulumi Service provider.
    This guide demonstrates using organization tokens. Depending on your Pulumi edition, you can also use personal or team tokens by adjusting the token type in the authorization policies and the requested-token-type parameter.

    Prerequisites

    • You must be an admin of your Pulumi organization.
    This guide provides step-by-step instructions based on the official provider documentation, which is subject to change. For the most current information, refer to the official GitHub documentation.

    Register the OIDC Issuer

    1. Navigate to Settings → Access Management → OIDC Issuers and select Register issuer.
    2. Name the issuer and set the issuer URL to https://token.actions.githubusercontent.com.
    3. Submit the form.

    Configure the authorization policies

    1. Select the issuer name.

    2. Set Decision to Allow.

    3. Set Token type to Organization.

    4. Add a policy to allow OIDC and configure the audience and subject claims for your organization and repositories:

      • Aud: urn:pulumi:org:<org-name>
      • Sub: repo:<organization>/<repo>:*

      For more information about GitHub token claims, see the official GitHub documentation.

    5. Select Save policies.

    Set up GitHub Actions to use Pulumi’s authentication action

          - uses: pulumi/auth-actions@v1
        with:
          organization: org-name
          requested-token-type: urn:pulumi:token-type:access_token:organization

    Replace org-name with your Pulumi organization name. For more information, see the Pulumi Auth Action documentation.

    Sample GitHub Actions workflow

    name: Pulumi preview
on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  run_cron_job:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - uses: pulumi/auth-actions@v1
        with:
          organization: org-name
          requested-token-type: urn:pulumi:token-type:access_token:organization

      - uses: pulumi/actions@v6
        with:
          command: preview
          stack-name: org-name/stack-name