Is a Github OIDC construct something that could be...
# generalj
Jono Allen
12/08/2021, 10:43 PMIs a Github OIDC construct something that could be useful for deploying sst?
f
Frank
12/09/2021, 8:22 AM
Hey @Jono Allen, do you mean creating an IAM OIDC identity provider using GitHub? Can you elaborate on the flow you have in mind?
m
Mischa Spiegelmock
12/09/2021, 12:20 PMI have an OIDC construct for GitHub and LinkedIn with Cognito
r
Richard Simpson
12/09/2021, 8:04 PMWe're swapping all our access key pairs to GitHub OIDC. Strongly recommended, even if just from a security and maintenance point of view
Richard Simpson
12/09/2021, 8:04 PMAWS SSO + Pipeline OIDC basically means no access keys which is 🥳
m
Mischa Spiegelmock
12/09/2021, 8:46 PMi was assuming we’re talking about cognito
r
Richard Simpson
12/09/2021, 10:06 PMoop, my bad, I was thinking we were talking about https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services since OP was talking about deployment
m
Marcos Sampaio
12/10/2021, 1:54 AMbtw, if you use Bitbucket Pipelines, you can also use OIDC (this was developed almost 1 year ago and it’s one of my favorite features)
https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
https://aws.amazon.com/blogs/apn/using-bitbucket-pipelines-and-openid-connect-to-deploy-to-amazon-s3/
It’s very recommended since you don’t have to worry about exposing or rotating your keys
PS: I worked on this feature 😅