Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove token-based authorization from Pulumi GitHub actions #71

Open
2 tasks
bsweger opened this issue Feb 26, 2025 · 2 comments
Open
2 tasks

Remove token-based authorization from Pulumi GitHub actions #71

bsweger opened this issue Feb 26, 2025 · 2 comments
Assignees
@bsweger
Labels
security Security-related

Comments

@bsweger
Copy link
Collaborator

bsweger commented Feb 26, 2025
edited
Loading

Last year, Pulumi released a GitHub action that allows authorization to Pulumi via OIDC 🎉

https://www.pulumi.com/blog/oidc-trust-github-action/

Our current Pulumi workflows use my personal Pulumi token stored as a repo secret, so we should switch to OIDC: https://github.com/hubverse-org/hubverse-infrastructure/blob/main/.github/workflows/pulumi_update.yaml#L43

Edit 2025-02-08: To use OIDC at the hubverse organization level, we'd need to upgrade our Pulumi account 😞
So am updating the title of this ticket to a more general "stop using token-based access in the Pulumi actions"

Definition of done

  • pulumi_update and pulumi_preview workflows no longer require secrets.BSWEGER_PULUMI_DEMO for Pulumi authentication
  • README.md is updated with information that explains how the Pulumi authentication works
@bsweger bsweger self-assigned this Feb 26, 2025
@bsweger bsweger added the security Security-related label Feb 26, 2025
@bsweger bsweger moved this from Todo to In Progress in hubverse Development overview Feb 27, 2025
@bsweger
Copy link
Collaborator Author

bsweger commented Feb 27, 2025
edited
Loading

I went down the road of setting up an OIDC issuer in Pulumi, and it will only let us create OIDC issuers at the individual level (because our account type doesn't permit teams 😞 )

I didn't bother trying this with my personal account, because it's admin/write, and we don't want that level of access in the pull request "pulumi preview" workflow.

We could create generic "preview" and "update" Pulumi accounts, set up OIDC issuers for each one, and use those in the GitHub actions. But we'd still have the problem of needed to update the passwords for those accounts when someone leaves.

I'll try the Pulumi GitHub app next.

@bsweger bsweger changed the title Update pulumi GitHub actions to authenticate via OIDC instead of secret token Remove token-based authorization from Pulumi GitHub actions Feb 28, 2025
@bsweger
Copy link
Collaborator Author

bsweger commented Mar 4, 2025
edited
Loading

Using Pulumi's GitHub app looks promising. We currently use a Pulumi GitHub action that essentially allows us to interact with Pulumi via its CLI commands (e.g., pulumi preview, pulumi up).

An alternate way to mange AWS resources via CI/CD is to create a Pulumi deployment for the Hubverse.

When setting up the deployment, we can configure OIDC to assume the AWS hubverse-infrastructure-write-role already in place (we would have to add a trust policy to that role before the Pulumi action is allowed to assume it).

The setup steps would be something like:

  • Done: Add the Pulumi GitHub app to hubverse-org
  • In AWS: add an OIDC identity provider for Pulumi
  • In AWS: add a trust policy to the existing hubverse-infrastructure-write-role that would allow the Pulumi GitHub app to assume it
  • In Pulumi: create a deployment and tell Pulumi to configure the hubverse-infrastructure-write-role (see screenshot)

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsweger bsweger

Labels
security Security-related
Projects
hubverse Development overview
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bsweger