From 20dd6aced44bf5d885c4e6e98de3211101348519 Mon Sep 17 00:00:00 2001 From: Rob E Date: Fri, 13 Dec 2024 07:22:39 +1000 Subject: [PATCH 1/8] Octopus OIDC content --- ...guring-openid-connect-in-octopus-deploy.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md new file mode 100644 index 000000000000..3b381d3d4ada --- /dev/null +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -0,0 +1,73 @@ +--- +title: Configuring OpenID Connect in Octopus Deploy +shortTitle: OpenID Connect in Octopus Deploy +intro: Use OpenID Connect within your workflows to authenticate with Octopus Deploy. +versions: + fpt: '*' + ghec: '*' +type: tutorial +topics: + - Security + - Actions +redirect_from: + - /actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy +--- + +## Overview + +OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with [Octpopus Deploy](https://octopus.com/) to push packages, create releases or trigger deployments without storing Octopus Deploy passwords or API keys as long-lived {% data variables.product.prodname_dotcom %} secrets. + +This guide provides an overview of how to configure Octopus Deploy to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the [`octopusdeploy/login`](https://github.com/OctopusDeploy/login) action that uses tokens to authenticate to your Octopus Deploy instance. + + +## Prerequisites + +{% data reusables.actions.oidc-link-to-intro %} + +{% data reusables.actions.oidc-security-notice %} + +{% data reusables.actions.oidc-on-ghecom %} + +## Adding the identity provider to Octopus Deploy + +To use OIDC with Octopus Deploy, first establish a trust relationship between {% data variables.product.prodname_actions %} and your Octopus Deploy instance. For more information about this process, see [Using OpenID Connect with the Octopus API](https://octopus.com/docs/octopus-rest-api/openid-connect) in the Octopus Deploy documentation. + +1. Sign in to your Octopus Deploy instance. +1. Create or open the Service Account that will be granted access via the token request. +1. Configure a new OIDC Identity, defining the relevant subject that the {% data variables.product.prodname_actions %} workflow token request will be validated against. + +### Adding permissions settings + +{% data reusables.actions.oidc-permissions-token %} + +#### Requesting the access token + +The [`octopus/login`](https://github.com/OctopusDeploy/login) action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from your Octopus Server instance. For more information, see the [`octopus/login`](https://github.com/OctopusDeploy/login) documentation. + +The following example exchanges an OIDC ID token with your Octopus Deploy instance to receive an access token, which can then be used to access your Octopus Deploy resources. Be sure to replace the `server` and `service_account_id` details appropriately for your scenario. + +{% raw %} + +```yaml copy +jobs: + create_release_in_octopus: + runs-on: ubuntu-latest + name: Create a release in Octopus + permissions: + # You might need to add other permissions here like `contents: read` depending on what else your job needs to do + id-token: write # This is required to obtain an ID token from GitHub Actions for the job + steps: + - name: Login to Octopus + uses: OctopusDeploy/login@v1 + with: + server: https://my.octopus.app + service_account_id: 5be4ac10-2679-4041-a8b0-7b05b445e19e + + - name: Create a release in Octopus + uses: OctopusDeploy/create-release-action@v3 + with: + space: Default + project: My Octopus Project +``` + + {% endraw %} \ No newline at end of file From fdfd9b74d7968dfe3e3ee67d4f734b40141e2d9e Mon Sep 17 00:00:00 2001 From: Rob E Date: Fri, 13 Dec 2024 07:24:52 +1000 Subject: [PATCH 2/8] one less indent --- .../configuring-openid-connect-in-octopus-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md index 3b381d3d4ada..929ecfd5fa34 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -40,7 +40,7 @@ To use OIDC with Octopus Deploy, first establish a trust relationship between {% {% data reusables.actions.oidc-permissions-token %} -#### Requesting the access token +### Requesting the access token The [`octopus/login`](https://github.com/OctopusDeploy/login) action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from your Octopus Server instance. For more information, see the [`octopus/login`](https://github.com/OctopusDeploy/login) documentation. From e38c6a885b08767f49c0b999b2bf4579e0663ee1 Mon Sep 17 00:00:00 2001 From: Rob E Date: Wed, 18 Dec 2024 15:06:55 +1000 Subject: [PATCH 3/8] Update workflow heading --- .../configuring-openid-connect-in-octopus-deploy.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md index 929ecfd5fa34..f9c993beaea1 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -36,6 +36,14 @@ To use OIDC with Octopus Deploy, first establish a trust relationship between {% 1. Create or open the Service Account that will be granted access via the token request. 1. Configure a new OIDC Identity, defining the relevant subject that the {% data variables.product.prodname_actions %} workflow token request will be validated against. +## Updating your {% data variables.product.prodname_actions %} workflow + +To update your workflows for OIDC, you will need to make two changes to your YAML: +1. Add permissions settings for the token. +1. Use the [`OctopusDeploy/login`](https://github.com/OctopusDeploy/login) action to exchange the OIDC token (JWT) for a cloud access token. + +{% data reusables.actions.oidc-deployment-protection-rules %} + ### Adding permissions settings {% data reusables.actions.oidc-permissions-token %} From 245aa47d9a88b0e859fc3bde5495fad399f0a816 Mon Sep 17 00:00:00 2001 From: Rob E Date: Mon, 6 Jan 2025 09:57:23 +1000 Subject: [PATCH 4/8] Update actions to use full sha --- .../configuring-openid-connect-in-octopus-deploy.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md index f9c993beaea1..c56dc8a0ed82 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -19,7 +19,6 @@ OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} This guide provides an overview of how to configure Octopus Deploy to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the [`octopusdeploy/login`](https://github.com/OctopusDeploy/login) action that uses tokens to authenticate to your Octopus Deploy instance. - ## Prerequisites {% data reusables.actions.oidc-link-to-intro %} @@ -66,13 +65,13 @@ jobs: id-token: write # This is required to obtain an ID token from GitHub Actions for the job steps: - name: Login to Octopus - uses: OctopusDeploy/login@v1 + uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2 with: server: https://my.octopus.app service_account_id: 5be4ac10-2679-4041-a8b0-7b05b445e19e - name: Create a release in Octopus - uses: OctopusDeploy/create-release-action@v3 + uses: OctopusDeploy/create-release-action@fe13cc69c1c037cb7bb085981b152f5e35257e1f #v3.2.2 with: space: Default project: My Octopus Project From db094276d1e5c091346a05c9f6f24912240e851d Mon Sep 17 00:00:00 2001 From: Rob E Date: Mon, 6 Jan 2025 10:06:52 +1000 Subject: [PATCH 5/8] End with newline --- .../configuring-openid-connect-in-octopus-deploy.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md index c56dc8a0ed82..bdd8f58a3a4e 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -77,4 +77,5 @@ jobs: project: My Octopus Project ``` - {% endraw %} \ No newline at end of file + {% endraw %} + \ No newline at end of file From cbe164b1f2e1cb19b38fabf11a41e9f311745ad6 Mon Sep 17 00:00:00 2001 From: Rob E Date: Mon, 6 Jan 2025 10:19:52 +1000 Subject: [PATCH 6/8] Add further reading --- .../configuring-openid-connect-in-octopus-deploy.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md index bdd8f58a3a4e..6d4d20a6996f 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -77,5 +77,8 @@ jobs: project: My Octopus Project ``` - {% endraw %} - \ No newline at end of file +{% endraw %} + +## Further reading + +{% data reusables.actions.oidc-further-reading %} \ No newline at end of file From 74703ad88c04aaa93e883560f069762e1013fe03 Mon Sep 17 00:00:00 2001 From: Rob E Date: Mon, 6 Jan 2025 11:07:37 +1000 Subject: [PATCH 7/8] Single Newline --- .../configuring-openid-connect-in-octopus-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md index 6d4d20a6996f..bc5e2d6199ea 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -81,4 +81,4 @@ jobs: ## Further reading -{% data reusables.actions.oidc-further-reading %} \ No newline at end of file +{% data reusables.actions.oidc-further-reading %} From 7d3fe0f44d76cbd249f740de7e92cb8a3ce379aa Mon Sep 17 00:00:00 2001 From: Rob E Date: Mon, 6 Jan 2025 11:18:32 +1000 Subject: [PATCH 8/8] Add link and remove redirect --- .../configuring-openid-connect-in-octopus-deploy.md | 2 -- .../security-hardening-your-deployments/index.md | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md index bc5e2d6199ea..e739cd2f3090 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy.md @@ -9,8 +9,6 @@ type: tutorial topics: - Security - Actions -redirect_from: - - /actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-octopus-deploy --- ## Overview diff --git a/content/actions/security-for-github-actions/security-hardening-your-deployments/index.md b/content/actions/security-for-github-actions/security-hardening-your-deployments/index.md index 6424dc340273..66e951e9f936 100644 --- a/content/actions/security-for-github-actions/security-hardening-your-deployments/index.md +++ b/content/actions/security-for-github-actions/security-hardening-your-deployments/index.md @@ -15,6 +15,7 @@ children: - /configuring-openid-connect-in-google-cloud-platform - /configuring-openid-connect-in-hashicorp-vault - /configuring-openid-connect-in-jfrog + - /configuring-openid-connect-in-octopus-deploy - /configuring-openid-connect-in-pypi - /configuring-openid-connect-in-cloud-providers - /using-openid-connect-with-reusable-workflows