Open ID Connect (OIDC) for GHEC Audit Log Streaming to AWS S3

[github-product-roadmap]

Summary

Today, GitHub’s audit log streaming feature requires storage of cloud secrets in GitHub when configuring your stream. Going forward, the audit log feature will support OpenID Connect (OIDC) for streaming partners. OIDC allows for the use of short-lived tokens that are automatically rotated for each configuration.

Intended Outcome

• With the new OpenID Connect (OIDC) support, you can stream to one of our five streaming partners
• OpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub
• Enterprise owners can use the security mechanisms of their cloud provider to ensure minimal access to cloud resources

How will it work?

OIDC will establish an identity layer between GitHub and AWS for the purposes of authenticating GitHub to stream audit log events to a specified AWS S3 bucket. Enterprise owners will establish trust with the GitHub audit log application and assign audit log a role with write permissions to the S3 bucket. When streaming GitHub events via audit log streaming, GitHub will authenticate the cloud role and the Github audit log identity using short lived tokens.