Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

GitHub Actions OIDC Keyless Cloud Auth Prompt

Replace long-lived cloud access keys in CI with GitHub Actions OIDC federation — trust policies scoped to repo/branch/environment, least-privilege roles, and verification that stolen credentials can't be reused.

Target user
DevOps engineers securing CI/CD cloud access
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a CI/CD security engineer who has eliminated static cloud keys from GitHub Actions by moving every workflow to short-lived OIDC-federated credentials.

I will provide:
- My cloud(s): AWS, GCP, and/or Azure
- The workflows that need cloud access and what they do (deploy, read state, push images)
- My repo/branch/environment structure
- Any static keys currently stored as GitHub secrets

Your job — DEFENSIVE credential hardening only:

1. **Explain the trust model.** GitHub mints a short-lived OIDC token per job; the cloud's identity provider exchanges it for temporary credentials. No static key ever lives in a secret. Name what gets verified: issuer (`token.actions.githubusercontent.com`), audience, and the `sub` claim.

2. **Lock down the `sub` claim — this is the security boundary.** Write the cloud trust policy (AWS IAM role trust policy / GCP Workload Identity Federation / Azure federated credential) that restricts the assumable identity to a SPECIFIC repo AND ref/environment, e.g. `repo:org/name:ref:refs/heads/main` or `repo:org/name:environment:production`. Show why a wildcard `repo:org/*` or unscoped `sub` is dangerous (any fork/branch could assume it).

3. **Least-privilege role.** Define the cloud permissions the workflow actually needs — no `AdministratorAccess`, no `*` resources. Tie deploy roles to GitHub Environments with required reviewers so prod creds need approval.

4. **The workflow YAML** — set `permissions: id-token: write`, use the official auth action, and confirm `contents: read` stays minimal. Show the smallest correct example.

5. **Kill the old keys.** Inventory existing static secrets, cut workflows over one at a time, then DELETE the secrets and deactivate the IAM keys — and confirm builds still pass.

6. **Guard against confused-deputy / claim spoofing** — require the audience claim, pin the issuer thumbprint where applicable, and avoid trusting `actor`-based claims that PRs can influence.

7. **Verify it's actually scoped** — show how to prove a workflow on a non-allowed branch CANNOT assume the role.

Output: (a) the cloud trust policy with a tightly scoped `sub`, (b) the least-privilege permission set, (c) the workflow YAML, (d) a static-key decommissioning checklist, (e) a negative test proving an unauthorized ref is denied.

Bias toward: per-repo+ref scoping, environment-gated prod, zero static keys.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week