Github Actions accesses cloud provider using insecure long-term credentials


Compromised credentials




In GitHub Actions workflows, long-term credentials (such as access tokens) used to authenticate cloud provider accounts are usually stored in GitHub as secrets.

In the GitHub Free and Team plans- it is not possible to limit access to stored secrets from protected branches. 

As long-term credentials are not limited in time or to a workflow run, a malicious attacker who has gained access to a repository, will be able to use these secrets to access the cloud service provider account.     


To reduce the risk associated with using long-term credentials in GitHub Actions workflows, it is recommended to use the OIDC (OpenID Connect) authentication protocol. This allows the workflow to request short-lived access tokens directly from the cloud provider, which expire automatically when the workflow run ends.Using OIDC, the GitHub Actions workflow can request a short-lived token directly from the cloud provider, which expires automatically as the workflow run ends.

In addition, OIDC allows more granular control over how secrets can be used in a workflow. For example, it is possible to filter access to tokens based on the origin of the request, such as specific protected branches or environments.

In summary, using OIDC can help improve the security of your GitHub Actions workflows and protect against potential vulnerabilities.

Cider Security has been acquired by Palo Alto Networks