Description
Summary
Today, GitHub’s audit log streaming feature requires storage of cloud secrets in GitHub when configuring your stream. Going forward, the audit log feature will support OpenID Connect (OIDC) for streaming partners. OIDC allows for the use of short-lived tokens that are automatically rotated for each configuration.
Intended Outcome
- With the new OpenID Connect (OIDC) support, you can stream to one of our five streaming partners
- OpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub
- Enterprise owners can use the security mechanisms of their cloud provider to ensure minimal access to cloud resources
How will it work?
OIDC will establish an identity layer between GitHub and Azure for the purposes of authenticating GitHub to stream audit log events to a specified Azure blob. Enterprise owners will establish trust with the GitHub audit log application and assign audit log a role with write permissions to the Azure blob. When streaming GitHub events via audit log streaming, GitHub will authenticate the cloud role and the Github audit log identity using short lived tokens.
Metadata
Assignees
Type
Projects
Status
Future
Activity