Document id-token permission
#14626
Comments
danielcompton
added
the
content
|
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
github-actions
bot
added
the
triage
ramyaparimi
added
actions
|
@danielcompton |
|
To generate an OIDC id-token from a GitHub workflow it requires write permissions on Thanks @danielcompton for reporting this. We will add the above context to our docs to make this more clear. |
|
Thanks @N-Usha! What does it mean to have |
|
It just means that OIDC tokens cant be generated in that workflow. And we made that as the default as we wanted to make OIDC an opt-in feature where workflows which need OIDC to get used for authentication purposes need to explicitly set the bit to |
|
Thanks for the clarification. Sorry to belabour the point, but what is the difference then between |
|
Thanks @lucascosti, it's still not clear to me what the difference is between |
Sorry, @danielcompton; I have a guess, but rather than potentially give out the wrong info, I'll let @N-Usha clarify |
|
@N-Usha would you be able to help clarify what the difference is between |
|
@N-Usha are you able to help with this? I'm still not sure what the security differences are between a workflow having |
|
Apologies for delayed response on this. @danielcompton - There is no difference between a workflow having id-token: read and id-token: none.
Please confirm if that clarifies your query. Thanks |
|
Thanks @N-Usha that's exactly what I was after! |
This comment was marked as spam.
This comment was marked as spam.
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/security-guides/automatic-token-authentication
What part(s) of the article would you like to see updated?
I'm looking into setting up OIDC authentication with GitHub Actions and am wanting to understand how the
id-tokenpermission works. I couldn't find much documentation about it, other than documentation saying to set it towrite, e.g. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings.The automatic token authentication article talks about
id-tokenand that the "Maximum access by forked repos" isread. What does it mean to havereadaccess to theid-token? What is the minimum permissions needed to use OIDC?Specifically, can a PR opened by Dependabot obtain OIDC credentials?
Additional information
No response
The text was updated successfully, but these errors were encountered: