Securing CI/CD Pipelines With OIDC: Step-by-Step Tutorial

Read full article here: https://blog.gitguardian.com/securing-your-ci-cd-an-oidc-tutorial/?utm_source=nhimg

CI/CD pipelines are essential for modern software delivery—but they also introduce significant security risks. The recent CircleCI breach, where attackers accessed stored secrets, underscores the danger of relying on long-lived credentials in CI/CD systems. This tutorial walks through best practices and hands-on implementations using OpenID Connect (OIDC) to enhance CI/CD security.

CI/CD Security Risks

CI/CD platforms like CircleCI, GitHub Actions, and GitLab CI automate build and deployment processes, often requiring access to:

• Cloud services (AWS, GCP, Azure)
• Artifact repositories
• Internal or external APIs

This automation means sensitive information—like API keys, access tokens, or passwords, is frequently stored or transmitted. If a CI/CD system is compromised, attackers can access these secrets, potentially affecting all connected systems.

Best Practices for Securing CI/CD

Avoid Long-Lived Credentials
Use short-lived credentials whenever possible. For example, AWS IAM roles generate temporary access keys with built-in expiration, reducing

risk.

Don’t Store Secrets in CI/CD Platforms
Store secrets in dedicated secrets managers (like HashiCorp Vault or cloud-native secret stores) instead of the CI/CD platform itself. Retrieve

them securely at runtime.

Rotate and Refresh Secrets Regularly
Even when long-lived credentials are unavoidable, ensure frequent rotation. Modern secret managers can automate this process, reducing

operational overhead and improving security.

Introduction to OpenID Connect (OIDC)

OIDC enables CI/CD workflows to use short-lived, token-based authentication instead of static passwords or API keys. By integrating OIDC:

• GitHub Actions or other CI/CD tools request temporary access tokens
• Tokens are used to authenticate with cloud providers or secrets managers
• No sensitive long-lived secrets need to be stored in the CI/CD system

This aligns perfectly with zero-trust and least-privilege principles.

Tutorial: GitHub Actions OIDC with AWS

Step 1: Create an OIDC Provider in AWS

• Provider URL: https://token.actions.githubusercontent.com
• Audience: sts.amazonaws.com
• Copy provider ARN for IAM role configuration

Step 2: Create an IAM Role with Assume Role Policy

• Attach the required AWS policy (e.g., AmazonS3ReadOnlyAccess)
• Set trust relationship for the OIDC provider and specific repository

Step 3: Configure GitHub Action Workflow

jobs:

  s3:

    runs-on: ubuntu-latest

    permissions:

      id-token: write

      contents: read

    steps:

      - uses: aws-actions/configure-aws-credentials@v2

        with:

          role-to-assume: <IAM_ROLE_ARN>

          role-session-name: samplerolesession

          aws-region: us-west-1

      - run: aws s3 ls

This workflow allows secure AWS access without storing secrets.

Tutorial: GitHub Actions OIDC with HashiCorp Vault

Not all systems support OIDC directly. For these cases, integrate your CI/CD workflow with a secrets manager:

Step 1: Install Vault (for dev/testing)

brew tap hashicorp/tap

brew install hashicorp/tap/vault

vault server -dev

Step 2: Enable JWT Authentication

vault auth enable jwt

vault write auth/jwt/config \

  bound_issuer="https://token.actions.githubusercontent.com" \

  oidc_discovery_url="https://token.actions.githubusercontent.com"

Step 3: Create Policies and Roles
Define Vault policies and JWT-bound roles to restrict access to specific secrets.

Step 4: Retrieve Secrets in GitHub Actions

jobs:

  retrieve-secret:

    runs-on: ubuntu-latest

    permissions:

      id-token: write

      contents: read

    steps:

      - uses: hashicorp/vault-action@v2

        with:

          method: jwt

          url: <VAULT_URL>

          role: myproject-production

          secrets: secret/data/aws accessKey | AWS_ACCESS_KEY_ID

      - run: echo "${{ env.AWS_ACCESS_KEY_ID }}"

This allows your CI/CD workflow to retrieve secrets securely without exposing passwords.

Summary

• CI/CD systems are critical yet vulnerable components of modern DevOps pipelines.
• Avoid long-lived credentials and secrets storage in CI/CD platforms.
• Use OIDC and secrets managers to enable secure, temporary token-based authentication.
• Hands-on tutorials show how to integrate GitHub Actions with AWS and Vault securely.

Adopting OIDC in your CI/CD pipelines ensures least privilege, reduced attack surface, and compliance with modern security best practices.