Configuring OpenID Connect for Github
This document outlines the steps required to configure Pulumi to accept Github id_tokens to be exchanged by Organization access tokens.
Prerequisites
- You must be an admin of your Pulumi organization.
Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the official Github documentation.
Register the OIDC issuer
- Navigate to OIDC Issuers under your Organization’s Settings and click on Register a new issuer.
- Name the issuer and complete the url:
https://token.actions.githubusercontent.com
- Submit the form
Configure the Authorization Policies
- Click on the issuer name
- Change the policy decision to
Allow
- Change the token type to
Organization
- Add a policy to allow OIDC and configure the sub and audience for your organization and repositories:
Aud: urn:pulumi:org:org-name
Sub: repo:organization/repo:*
For further information about Github token claims refer to the official Github documentation. 5. Click on update
Set up the Github Actions to use Pulumi’s authentication action
- uses: pulumi/auth-actions@v1
with:
organization: org-name
requested-token-type: urn:pulumi:token-type:access_token:organization
Replace org-name
with the right Pulumi organization. For more information, check the Pulumi Auth Action documentation.
Sample Github Actions workflow
name: Pulumi preview
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
run_cron_job:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pulumi/auth-actions@v1
with:
organization: org-name
requested-token-type: urn:pulumi:token-type:access_token:organization
- uses: pulumi/actions@v5
with:
command: preview
stack-name: org-name/stack-name
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.