Skip to content

feat: add OIDC workload identity federation to secret provider plugins#636

Open
theoephraim wants to merge 2 commits intomainfrom
feat/oidc-workload-identity
Open

feat: add OIDC workload identity federation to secret provider plugins#636
theoephraim wants to merge 2 commits intomainfrom
feat/oidc-workload-identity

Conversation

@theoephraim
Copy link
Copy Markdown
Member

@theoephraim theoephraim commented Apr 21, 2026

Summary

  • Add shared OIDC token acquisition utility (packages/utils/src/oidc-tokens.ts) that auto-detects 5 deployment platforms (Vercel, GitHub Actions, GitLab CI, Fly.io, GCP Cloud Run)
  • Add OIDC authentication as a fallback option in 6 secret provider plugins:
    • AWS: STS AssumeRoleWithWebIdentity via new oidcRoleArn param
    • Azure: Federated credential (JWT as client assertion) when tenantId+clientId provided without clientSecret
    • GCP: Workload Identity Federation via workloadIdentityProvider param
    • HashiCorp Vault: JWT auth method via jwtRole param
    • Infisical: OIDC machine identity via identityId param (alternative to Universal Auth)
    • Akeyless: OIDC access type via oidcAccessId param
  • All plugins also accept explicit oidcToken param for custom OIDC providers

This enables deployed environments to authenticate with secret providers using short-lived OIDC tokens instead of long-lived credentials — no secrets needed to fetch secrets.

Test plan

  • Verify typecheck passes across all packages (confirmed in pre-push hook)
  • Verify lint passes (confirmed via bun run lint:fix)
  • Manual test: deploy to Vercel with AWS OIDC role configured, verify secrets resolve
  • Manual test: GitHub Actions workflow with id-token: write permission
  • Unit tests for OIDC token acquisition utility (mock platform env vars)
  • Unit tests for each plugin's OIDC auth path (mock token exchange endpoints)
  • Documentation pass (shared OIDC guide + per-plugin README sections) — follow-up PR

🤖 Generated with Claude Code

@theoephraim @claude
feat: add OIDC workload identity federation support to secret provide…
3034bb5 
…r plugins

Enable deployed environments (Vercel, GitHub Actions, Fly.io, GCP Cloud Run,
GitLab CI) to authenticate with secret providers using short-lived OIDC tokens
instead of long-lived credentials.

Adds a shared OIDC token acquisition utility that auto-detects the deployment
platform, and integrates OIDC as an auth option in 6 plugins: AWS (STS
AssumeRoleWithWebIdentity), Azure (federated credential), GCP (Workload
Identity Federation), HashiCorp Vault (JWT auth), Infisical (OIDC machine
identity), and Akeyless (OIDC access type).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 21, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 346c87e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@theoephraim @claude
docs: add OIDC workload identity guide and update plugin READMEs
346c87e 
Add a shared OIDC guide at guides/oidc.mdx covering platform setup
(Vercel, GitHub Actions, GitLab CI, Fly.io, GCP Cloud Run) and
provider-specific configuration for all 6 supported plugins.

Update each plugin README with OIDC auth section, updated auth priority
order, and new parameter documentation. All READMEs link to the shared
guide for platform-side setup details.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Apr 21, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 varlock-website 346c87e Commit Preview URL

Branch Preview URL		 Apr 21 2026, 06:05 AM

philmillman
philmillman reviewed Apr 21, 2026
View reviewed changes
Comment thread packages/varlock-website/src/content/docs/guides/oidc.mdx
# @initAws(region=us-east-1, oidcRoleArn="arn:aws:iam::123:role/my-role", oidcToken=$MY_OIDC_TOKEN)
```

## Plugin-specific setup
Copy link
Copy Markdown
Member

@philmillman philmillman Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need this repetition from each of the plugins? Maybe we just have a rolled up list and link out the their respective OIDC sections?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philmillman philmillman philmillman left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

core:utils core:website maintainer plugin:aws-secrets plugin:azure-key-vault plugin:google-secret-manager plugin:infisical

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theoephraim @philmillman