GitHub Actions OIDC无秘钥云角色部署实践

概述目标：通过OIDC在流水线运行时获取临时云凭证，避免长期密钥存储，提升安全性与可追溯。适用：AWS/GCP/Azure部署场景，替代静态密钥方式。核心与实战AWS IAM角色信任策略（允许GitHub OIDC）：{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"}, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", "token.actions.githubusercontent.com:sub": "repo:org/repo:ref:refs/heads/main" } } } ] } GitHub Actions工作流（获取临时凭证并部署）：name: deploy on: push: branches: [ main ] jobs: deploy: runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - uses: actions/checkout@v4 - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/gha-deploy-role aws-region: us-east-1 - run: aws sts get-caller-identity - run: aws s3 sync dist s3://my-bucket/app/ 示例最小权限策略：{ "Version": "2012-10-17", "Statement": [{"Effect":"Allow","Action":["s3:PutObject","s3:ListBucket"],"Resource":["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"]}] } 分支与环境限制：-- 在Condition中限定sub为目标分支/环境工作流，避免越权 验证与监控身份验证：运行工作流后`aws sts get-caller-identity`显示临时角色ARN；检查CloudTrail记录AssumeRole与S3操作。安全边界：验证OIDC Provider与信任策略匹配；最小权限策略仅允许必要操作。证据与审计：使用工作流运行ID与CloudTrail事件关联，实现端到端可追溯。常见误区未开启`id-token`权限导致无法获取OIDC令牌；需在工作流`permissions`中配置。信任策略`sub`匹配过宽；应精确到repo与分支或环境。仍在仓库保存长期密钥；应移除并转为OIDC临时凭证。结语通过GitHub OIDC联邦到云角色实现无秘钥部署，提升安全与合规，结合最小权限与审计实现可信交付。