OpenID Connect Trust Relationships for Pulumi Cloud

Posted on

Germán Lena Germán Lena Cleve Littlefield Cleve Littlefield

We are excited to introduce a powerful addition to Pulumi’s authentication capabilities: OpenID Connect (OIDC) Trust Relationships. This feature makes it easy to integrate Pulumi securely into any ecosystem that supports OIDC. By incorporating OIDC, Pulumi is not only extending its compatibility with a broader range of environments but also reinforcing its commitment to delivering top-tier, secure, and scalable solutions to developers and enterprises alike. Whether you are working within CI/CD pipelines or engaging directly with cloud services, this new feature ensures that your infrastructure management is more secure, efficient, and aligned with industry best practices.

Addressing the “Secret Zero” Challenge

A lot of platforms deal with the “secret zero” challenge, which have a weak link where they require a static, long-lived access token. Managing long-lived access tokens has always been a challenge for developers. Often those secrets are set and forgotten, leaving the team to scramble when it comes time to rotate them. This struggle often leads to those secrets not being rotated very often. This long-term access token becomes a weak point in the overall security posture as well as a hassle for developers. With OIDC Trust Relationships, we’re tackling the “secret zero” challenge head-on by introducing exchanging a secure platform token for a short-term Pulumi token. This enhances security and simplifies token management.

Simplified Authentication

OIDC Trust simplifies the authentication process by allowing you to securely request dynamic credentials for Pulumi using your preferred OIDC provider. OIDC is supported across many popular CI/CD systems, such as GitHub, GitLab, Circle CI, and more. In addition, OIDC can be used from within most cloud providers, such as AWS, Azure, GCP, and more.

Enhanced Security with Policy Controls

When you set up an OIDC Trust in Pulumi Cloud, you can set policies to deny or approve token exchanges based on issuer subject or additional claims. We support wildcard matching to create simple policies that support complex authorization scenarios. Based on your specific policy requirements, these policies can be used to issue a token scoped to an organization, team, or personal access.

Seamless Integration with Pulumi ESC

OIDC Trust seamlessly integrate with Pulumi ESC, providing a comprehensive solution for managing infrastructure and access to secrets and configuration. You can now use your native GitHub app token to exchange it for a short-lived Pulumi Token, and ESC will seamlessly exchange it for a cloud token through an ESC environment.

Demo

In this demo, we are going to use Github Actions to retrieve Pulumi credentials and use them to list all the Pulumi ESC Environments in our organization.

  1. Go to the OIDC Issuers Page.
  2. Register Issuer and give a name and (optional) max expiration. Enter the GitHub actions URL https://token.actions.githubusercontent.com.
  3. Add a policy to allow OIDC and configure the sub and audience for your organization and repositories. In the demo, we are using:

  • Aud: https://github.com/organization

  • Sub: repo:organization/repo:*

  1. Create a GitHub action. Here is a sample code. Make sure to substitute the aud claim with your organization’s name in the fetch pulumi token step.
name: Pulumi ESC List Environments
on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  run_cron_job:
    runs-on: ubuntu-20.04
    timeout-minutes: 30

    steps:
      - name: Checkout repo
        uses: actions/checkout@v3

      - name: Install pulumi
        uses: pulumi/actions@v4

      - name: Install deps
        run: yarn

      - name: fetch gh token
        run: |
          OIDC_GH_TOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL"  | jq -r '.value')
          echo "OIDC_GH_TOKEN=$OIDC_GH_TOKEN" >> $GITHUB_ENV          

      - name: fetch pulumi token
        run: |
          PULUMI_ACCESS_TOKEN=$(curl -X POST  \
            -H 'Content-Type: application/x-www-form-urlencoded' \
            -d 'audience=urn:pulumi:org:arun-test' \
            -d 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
            -d 'subject_token_type=urn:ietf:params:oauth:token-type:id_token' \
            -d 'requested_token_type=urn:pulumi:token-type:access_token:organization' \
            -d 'subject_token=${{ env.OIDC_GH_TOKEN }}' \
            https://api.pulumi.com/api/oauth/token | jq -r '.access_token')
          echo "::add-mask::$PULUMI_ACCESS_TOKEN"
          echo "PULUMI_ACCESS_TOKEN=$PULUMI_ACCESS_TOKEN" >> $GITHUB_ENV          

      - name: Login to Pulumi
        run: pulumi login
        env:
          PULUMI_ACCESS_TOKEN: ${{ env.PULUMI_ACCESS_TOKEN }}

      - name: List all Pulumi ESC Environments
        run: pulumi env ls
  1. Go to GitHub Actions page, and run the workflow you just created.

Next steps

Share this post

Introducing Drift Detection, TTL Stacks, and Scheduled Deployments. Learn More.