| ▲ | ZiiS 3 hours ago | |
AWS do exactly this. An example use-case is IAM can grant permission to update a Lambda to a Github action running in a given repository. | ||
| ▲ | sandeepkd 3 hours ago | parent [-] | |
Personally I dont like the way they do it, its hard to understand, if anything its convoluted. In case of AWS, you add Github as an IDP (OIDC provider) and associate a role to it. Github is now authenticating into AWS, scoped to the github repository where its configured and the AWS role it can assume Its not really a typical OAuth2 or OIDC flow. And yes its better than storing the keys. Github is not the OAuth client here. | ||