GitHub Actions - Web Identity Federation¶
In this guide, you'll learn how to deploy from GitHub Actions CI/CD using OpenFaaS's IAM support and Web Identity Federation.
You'll need to create YAML files for an Issuer, a Policy and a Role. These need to be applied through kubectl, Helm or a GitOps tool.
Your build will need to be adapted in order to receive an id_token from GitLab, which will be exchanged for an OpenFaaS access token.
Define an Issuer for GitHub Actions¶
First define a new JwtIssuer resource, setting the aud
field to the URL of your OpenFaaS Gateway.
apiVersion: openfaas.com/v1
kind: JwtIssuer
metadata:
name: token.actions.githubusercontent.com
namespace: openfaas
spec:
iss: https://token.actions.githubusercontent.com
aud:
- https://gw.example.com
tokenExpiry: 30m
Issuer for https://token.actions.githubusercontent.com
Create a Policy¶
Next, define a Policy with the least privileges required to perform the desired actions.
apiVersion: openfaas.com/v1
kind: Policy
metadata:
name: dev-rw
namespace: openfaas
spec:
statement:
- sid: 1-rw-dev
action:
- Function:Read
- Function:Admin
- Secret:Read
effect: Allow
resource: dev:*
Bind a Policy to a Role¶
Next, you need to bind the Policy to a Role.
There are around a dozen different fields available within the GitHub Actions id_token
:
{
"actor": "aidansteele",
"aud": "https://github.com/aidansteele/aws-federation-github-actions",
"base_ref": "",
"event_name": "push",
"exp": 1631672856,
"head_ref": "",
"iat": 1631672556,
"iss": "https://token.actions.githubusercontent.com",
"job_workflow_ref": "aidansteele/aws-federation-github-actions/.github/workflows/test.yml@refs/heads/main",
"jti": "8ea8373e-0f9d-489d-a480-ac37deexample",
"nbf": 1631671956,
"ref": "refs/heads/main",
"ref_type": "branch",
"repository": "aidansteele/aws-federation-github-actions",
"repository_owner": "aidansteele",
"run_attempt": "1",
"run_id": "1235992580",
"run_number": "5",
"sha": "bf96275471e83ff04ce5c8eb515c04a75d43f854",
"sub": "repo:aidansteele/aws-federation-github-actions:ref:refs/heads/main",
"workflow": "CI"
}
Example from: Deploy without credentials with GitHub Actions and OIDC
apiVersion: openfaas.com/v1
kind: Role
metadata:
name: dev-actions-deployer
namespace: openfaas
spec:
policy:
- dev-rw
condition:
StringEqual:
jwt:iss: ["https://token.actions.githubusercontent.com"]
jwt:repository_owner: ["openfaas"]
StringLike:
jwt:ref: ["refs/heads/*"]
The example must match the issuer and organisation name of "openfaas", and can match any branch name.
You could restrict this further by looking at the "actor" for instance.
Finally, you need to apply all of the above objects, and can test it end to end.
See an example GitHub Actions Workflow