75f3cce197
Co-authored-by: isaacmbrown <isaacmbrown@github.com> Co-authored-by: Hector Alfaro <hectorsector@github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: Vanessa <vgrl@github.com> Co-authored-by: Christopher Nguyen <91625426+nguyen-dows@users.noreply.github.com> Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Andrew Eisenberg <aeisenberg@github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com> Co-authored-by: David Staheli <1767415+davidstaheli@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com> Co-authored-by: sunbrye <sunbrye@github.com> Co-authored-by: Tim Rogers <timrogers@github.com> Co-authored-by: Felix Guntrip <stevecat@github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com> Co-authored-by: Rachael Rose Renk <91027132+rachaelrenk@users.noreply.github.com> Co-authored-by: Jules <19994093+jules-p@users.noreply.github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Jules Porter <jules-p@users.noreply.github.com> Co-authored-by: Devraj Mehta <devm33@github.com> Co-authored-by: Kate Studwell <katestud@github.com> Co-authored-by: Katherine Oelsner <49968061+octokatherine@users.noreply.github.com> Co-authored-by: Rachael Sewell <rachmari@github.com> Co-authored-by: Tim Rogers <me@timrogers.co.uk> Co-authored-by: Arfon Smith <arfon@users.noreply.github.com>
5.4 KiB
title, shortTitle, intro, versions, type, topics, redirect_from
| title | shortTitle | intro | versions | type | topics | redirect_from | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configuring OpenID Connect in JFrog | OpenID Connect in JFrog | Use OpenID Connect within your workflows to authenticate with JFrog. |
|
tutorial |
|
|
Overview
OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with JFrog to download and publish artifacts without storing JFrog passwords, tokens, or API keys in {% data variables.product.company_short %}.
This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow.
For an example {% data variables.product.prodname_actions %} workflow, see Sample {% data variables.product.prodname_actions %} Integration in the JFrog documentation.
For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see build-publish.yml in the jfrog-github-oidc-example repository.
Prerequisites
{% data reusables.actions.oidc-link-to-intro %}
{% data reusables.actions.oidc-security-notice %}
{% data reusables.actions.oidc-on-ghecom %}
-
To be secure, you need to set a Claims JSON in JFrog when configuring identity mappings. For more information, see "AUTOTITLE" and "AUTOTITLE."
For example, you can set
isstohttps://token.actions.githubusercontent.com, and therepositoryto something like "octo-org/octo-repo"`. This will ensure only Actions workflows from the specified repository will have access to your JFrog platform. The following is an example Claims JSON when configuring identity mappings.{ "iss": "https://token.actions.githubusercontent.com", "repository": "octo-org/octo-repo" }
Adding the identity provider to JFrog
To use OIDC with JFrog, establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform. For more information about this process, see OpenID Connect Integration in the JFrog documentation.
- Sign in to your JFrog Platform.
- Configure trust between JFrog and your {% data variables.product.prodname_actions %} workflows.
- Configure identity mappings.
Updating your {% data variables.product.prodname_actions %} workflow
Once you establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform, you can update your {% data variables.product.prodname_actions %} workflow file.
In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform.
The following example uses the placeholder YOUR_PROVIDER_NAME.
- name: Fetch Access Token from Artifactory
id: fetch_access_token
env:
ID_TOKEN: ${{ steps.idtoken.outputs.id_token }}
run: |
ACCESS_TOKEN=$(curl \
-X POST \
-H "Content-type: application/json" \
https://example.jfrog.io/access/api/v1/oidc/token \
-d \
"{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"$ID_TOKEN\", \"provider_name\": \"YOUR_PROVIDER_NAME\"}" | jq .access_token | tr -d '"')
echo ACCESS_TOKEN=$ACCESS_TOKEN >> $GITHUB_OUTPUT
The following example shows part of a {% data variables.product.prodname_actions %} workflow file using cURL.
- name: Get ID Token (cURL method)
id: idtoken
run: |
ID_TOKEN=$(curl -sLS -H "User-Agent: actions/oidc-client" -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq .value | tr -d '"')
echo "ID_TOKEN=${ID_TOKEN}" >> $GITHUB_OUTPUT
Alternatively, you can set the audience as an environment variable using the env context. For more information about the env context, see "AUTOTITLE."
{% data reusables.actions.oidc-deployment-protection-rules %}
jobs:
build:
runs-on: ubuntu-latest
env:
OIDC_AUDIENCE: 'YOUR_AUDIENCE'
Then, in your workflow file, retrieve the value of the variables stored in the env context. The following example uses the env context to retrieve the OIDC audience.
- name: Get ID Token (using env context)
uses: {% data reusables.actions.action-github-script %}
id: idtoken
with:
script: |
const coredemo = require('@actions/core');
let id_token = await coredemo.getIDToken(process.env.OIDC_AUDIENCE);
coredemo.setOutput('id_token', id_token);