GitHub OIDC for Cloud Authentication
GitHub Actions OIDC lets a workflow request a short-lived identity token from GitHub at runtime and exchange it with your cloud provider’s trust policy — so you never store long-lived cloud credentials as secrets.
The workflow side
Section titled “The workflow side”Grant the job permission to request an OIDC token, then use a cloud login action that performs the exchange:
jobs: deploy: runs-on: self-hosted permissions: id-token: write # lets the job request an OIDC token from GitHub contents: read steps: - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/my-ci-role aws-region: us-east-1 - run: aws sts get-caller-identitypermissions: id-token: write is the load-bearing part — without it GitHub won’t
issue the token. Swap the login action for your cloud (GCP and Azure have their
own).
The cloud side
Section titled “The cloud side”You configure the trust relationship on the cloud provider, not in Runaway:
- Register GitHub’s OIDC issuer as a trusted identity provider.
- Scope the trust policy to your repository or organization using the OIDC token’s
audience and subject claims (e.g.
repo:<owner>/<repo>:ref:refs/heads/main), so only your workflows can assume the role.
The exact steps differ per cloud and are well-documented upstream — follow those rather than a copy here:
- GitHub: about security hardening with OpenID Connect
- Your cloud provider’s OIDC federation docs (AWS IAM, GCP Workload Identity Federation, Azure workload identity).
Related
Section titled “Related”- Writing workflows — what else changes on a Runaway runner.
- Scale sets — routing the job to the right pool.