OpenID Connect (OIDC) offers a secure and standardized way to authenticate users, allowing CloudBees workflows to interact with external resources efficiently.
To set up OIDC for use in the CloudBees platform, first establish an identity trust relationship between AWS and CloudBees platform using OIDC, and then create an AWS IAM role with assigned permissions. Then you can configure CloudBees platform workflows to use OIDC tokens.
Add CloudBees as a trusted IdP in AWS
Use OIDC to establish CloudBees as a trusted identity provider (IdP) in AWS.
To add the CloudBees platform as a trusted IdP in AWS:
-
Sign in to your AWS account and go to
. -
Select the OIDC option.
-
Set Provider URL to
https://api.cloudbees.io
. -
Set Audience to
sts.amazonaws.com
. -
Select Get Thumbprint to validate the provider URL and certificate.
-
Select Add provider to complete the setup.
Your AWS account is configured to accept the CloudBees platform as a trusted IdP.
Trust policy considerations
AWS limits the set of claims you can match in your trust policy. Of the keys provided in the Amazon AWS STS condition keys documentation, the following can be used:
-
aud
matches theazp
claim. -
oaud
matches theaud
claim. -
sub
.
CloudBees suggests that the use of the aud
condition is redundant as long as you have a StringEquals
condition on the oaud
key.
Depending on your use case and the granted role permissions, you may not require a sub
condition.
CloudBees strongly recommends:
|
AWS STS condition key | IdP JWT claim | Set by CloudBees | Required in trust policy? |
---|---|---|---|
|
|
|
Use this check to verify that the token issued by CloudBees was issued for use against AWS [1] |
|
|
|
Only required if you want the claim to originate from your platform org. CloudBees strongly recommends this check. |
|
|
Set by CloudBees to refer to the source code repository that the component is pointing to. |
Not required, as you can use |
[1] This is a redundant check, as CloudBees already appends the azp
value to the CloudBees aud
value (so checking oaud
is sufficient).
[2] The organization ID is listed in the Organization profile. Refer to Organizations and sub-organizations for more information.
[3] CloudBees strongly recommends that policies that have mutation permissions are ideally tightly limited to a single repository.
Trust policy examples
Below are examples of appropriate trust policies for use with the platform.
The Condition
block specifies those conditions that are valid for the trust policy.
For exact matches, use the StringEquals
specifier; for partial matches, use the StringLike
specifier.
|
The trust policy example below only allows access if the following criteria are met:
-
Only allow AWS account ID
012345678901
. -
Only allow CloudBees platform root organization ID
1234abcd-56ef78gh-90ij-klmn1234opqr
. -
Only allow the
main
andqc
branches of themy-repo
repository in themy-org
GitHub organization.
In the following condition block example, any branch with a v1.
tag in the my-org
GitHub organization is acceptable:
"Condition": { "StringEquals": { "api.cloudbees.io:oaud": "cbp://1234abcd-56ef78gh-90ij-klmn1234opqr@sts.amazonaws.com" } "StringLike": { "api.cloudbees.io:sub": "provider:github:repo:my-org/*:ref:/refs/tag/v1.*" } }
In the following condition block example, any branch in the my-repo
repository in the my-org
GitHub organization is acceptable:
"Condition": { "StringEquals": { "api.cloudbees.io:oaud": "cbp://1234abcd-56ef78gh-90ij-klmn1234opqr@sts.amazonaws.com" } "StringLike": { "api.cloudbees.io:sub": "provider:github:repo:my-org/my-repo:ref:*" } }
Create an AWS IAM role for CloudBees platform workflows
An appropriate trust policy must be in place to create an AWS IAM role.
To create AWS roles that can be assumed by CloudBees platform workflows using trusted CloudBees platform identity tokens:
-
Sign in to your AWS account and go to
. -
Select Custom trust policy as the trusted entity type.
-
Enter an appropriate trust policy.
-
Select Next and assign the necessary permissions to the role. The permissions can vary depending on the required AWS operations.
Assign permissions to the role
Add additional permissions to the role to allow specific AWS operations. These permissions should be based on your workflow requirements, for example, if you need to access Amazon Elastic Container Registry (ECR) or Simple Storage Service (S3).
CloudBees strongly recommends that you avoid granting broad or unnecessary permissions, particularly administrative access, to your environments. In the event of a security breach, having limited permissions can help mitigate potential damage and demonstrate that appropriate security measures were advised. |
Example workflow using an OIDC token
The following example uses an OIDC token to securely deploy an EC2 binary.
Learn more about modifying the default permissions at jobs.<job_id>.permissions.
You require When permissions are specified at the job level, they override any defaults set at the workflow level.
In order to add |
JSON Web Token claims
Use JSON Web Token (JWT) claims in your OIDC token for fine-grained access control. CloudBees OIDC tokens include JWT claims that can be used to filter trust policies. Example token claims include repository, branch, and workflow context information.
An example of OIDC JWT token claims accepted by CloudBees follows: