-
Notifications
You must be signed in to change notification settings - Fork 59.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document id-token
permission
#14626
Comments
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
@danielcompton |
To generate an OIDC id-token from a GitHub workflow it requires write permissions on Thanks @danielcompton for reporting this. We will add the above context to our docs to make this more clear. |
Thanks @N-Usha! What does it mean to have |
It just means that OIDC tokens cant be generated in that workflow. And we made that as the default as we wanted to make OIDC an opt-in feature where workflows which need OIDC to get used for authentication purposes need to explicitly set the bit to |
Thanks for the clarification. Sorry to belabour the point, but what is the difference then between |
Thanks @lucascosti, it's still not clear to me what the difference is between |
Sorry, @danielcompton; I have a guess, but rather than potentially give out the wrong info, I'll let @N-Usha clarify 🙂 |
@N-Usha would you be able to help clarify what the difference is between |
@N-Usha are you able to help with this? I'm still not sure what the security differences are between a workflow having |
Apologies for delayed response on this. @danielcompton - There is no difference between a workflow having id-token: read and id-token: none.
Please confirm if that clarifies your query. Thanks |
Thanks @N-Usha that's exactly what I was after! |
This comment was marked as spam.
This comment was marked as spam.
This is a closed issue, but I'm struggling to understand what the word "write" means here. Why is the permission called "write"? Is something being written? If so, what and by whom? Or is the permission called "write" for some other reason (e.g., something historical, referential, or arcane)? It'd be great to explain this just a tiny bit more. |
I am quire curious how it comes that this is closed when this tag has zero documentation. |
Fwiw I couldn't even figure out that this permission scope had something to do with OIDC. Had to google it and find this issue. |
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/security-guides/automatic-token-authentication
What part(s) of the article would you like to see updated?
I'm looking into setting up OIDC authentication with GitHub Actions and am wanting to understand how the
id-token
permission works. I couldn't find much documentation about it, other than documentation saying to set it towrite
, e.g. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings.The automatic token authentication article talks about
id-token
and that the "Maximum access by forked repos" isread
. What does it mean to haveread
access to theid-token
? What is the minimum permissions needed to use OIDC?Specifically, can a PR opened by Dependabot obtain OIDC credentials?
Additional information
No response
The text was updated successfully, but these errors were encountered: