Skip to content

Latest commit

 

History

History
89 lines (64 loc) · 4.33 KB

configuring-openid-connect-in-jfrog.md

File metadata and controls

89 lines (64 loc) · 4.33 KB
title shortTitle intro versions type topics redirect_from
Configuring OpenID Connect in JFrog
OpenID Connect in JFrog
Use OpenID Connect within your workflows to authenticate with JFrog.
fpt ghec
*
*
tutorial
Security
Actions
/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-jfrog

Overview

OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with JFrog to download and publish artifacts without storing JFrog passwords, tokens, or API keys in {% data variables.product.company_short %}.

This guide gives an overview of how to configure JFrog to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in a {% data variables.product.prodname_actions %} workflow.

For an example {% data variables.product.prodname_actions %} workflow, see Sample {% data variables.product.prodname_actions %} Integration in the JFrog documentation.

For an example {% data variables.product.prodname_actions %} workflow using the JFrog CLI, see build-publish.yml in the jfrog-github-oidc-example repository.

Prerequisites

{% data reusables.actions.oidc-link-to-intro %}

{% data reusables.actions.oidc-security-notice %}

{% data reusables.actions.oidc-on-ghecom %}

  • To be secure, you need to set a Claims JSON in JFrog when configuring identity mappings. For more information, see AUTOTITLE and AUTOTITLE.

    For example, you can set iss to https://token.actions.githubusercontent.com, and the repository to something like "octo-org/octo-repo"`. This will ensure only Actions workflows from the specified repository will have access to your JFrog platform. The following is an example Claims JSON when configuring identity mappings.

    {
  "iss": "https://token.actions.githubusercontent.com",
  "repository": "octo-org/octo-repo"
}

Adding the identity provider to JFrog

To use OIDC with JFrog, establish a trust relationship between {% data variables.product.prodname_actions %} and the JFrog platform. For more information about this process, see OpenID Connect Integration in the JFrog documentation.

  1. Sign in to your JFrog Platform.
  2. Configure trust between JFrog and your {% data variables.product.prodname_actions %} workflows.
  3. Configure identity mappings.

Updating your {% data variables.product.prodname_actions %} workflow

Example: Authenticating with JFrog using OIDC

In your {% data variables.product.prodname_actions %} workflow file, ensure you are using the provider name and audience you configured in the JFrog Platform.

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Setup JFrog CLI with OIDC
        uses: jfrog/setup-jfrog-cli@v4
        with:
          oidc-provider-name: 'YOUR_PROVIDER_NAME'
          oidc-audience: 'YOUR_AUDIENCE'

      - name: Upload artifact
        run: jf rt upload "dist/*.zip" my-repo/

Security Best Practices

  • Always use permissions: id-token: write in workflows that authenticate with JFrog.
  • Limit trust using specific claims like repository, ref, or environment.
  • Configure identity mappings in JFrog to restrict which workflows are allowed to authenticate.

Further Reading