1. Docs
  2. Pulumi Cloud
  3. Identity & access management
  4. OpenID
  5. OpenID client
  6. Github

Configuring OpenID Connect for Github

    This document outlines the steps required to configure Pulumi to accept Github id_tokens to be exchanged by Organization access tokens.

    Prerequisites

    • You must be an admin of your Pulumi organization.
    Please note that this guide provides step-by-step instructions based on the official provider documentation which is subject to change. For the most current and precise information, always refer to the official Github documentation.

    Register the OIDC issuer

    1. Navigate to OIDC Issuers under your Organization’s Settings and click on Register a new issuer.
    2. Name the issuer and complete the url: https://token.actions.githubusercontent.com Register Github
    3. Submit the form

    Configure the Authorization Policies

    1. Click on the issuer name
    2. Change the policy decision to Allow
    3. Change the token type to Organization
    4. Add a policy to allow OIDC and configure the sub and audience for your organization and repositories:
    • Aud: urn:pulumi:org:org-name

    • Sub: repo:organization/repo:*

    For further information about Github token claims refer to the official Github documentation. Github policy example 5. Click on update

    Set up the Github Actions to use Pulumi’s authentication action

          - uses: pulumi/auth-actions@v1
            with:
              organization: org-name
              requested-token-type: urn:pulumi:token-type:access_token:organization
    

    Replace org-name with the right Pulumi organization. For more information, check the Pulumi Auth Action documentation.

    Sample Github Actions workflow

    name: Pulumi preview
    on:
      workflow_dispatch:
    
    permissions:
      id-token: write
      contents: read
    
    jobs:
      run_cron_job:
        runs-on: ubuntu-latest
    
        steps:
          - uses: actions/checkout@v4
    
          - uses: pulumi/auth-actions@v1
            with:
              organization: org-name
              requested-token-type: urn:pulumi:token-type:access_token:organization
    
          - uses: pulumi/actions@v5
            with:
              command: preview
              stack-name: org-name/stack-name
    
      PulumiUP 2024. Watch On Demand.