cellos-broker-oidc 0.5.1

OIDC SecretBroker for CellOS — fetches workload identity tokens via OIDC token exchange (GitHub Actions, GitLab CI, Azure DevOps).
Documentation

cellos-broker-oidc

SecretBroker that resolves GitHub Actions OIDC tokens — the production path for federated identity into AWS / GCP / Azure / Vault.

What it is

Implements cellos_core::ports::SecretBroker. When a CI job runs with permissions: id-token: write, GitHub injects:

  • ACTIONS_ID_TOKEN_REQUEST_URL
  • ACTIONS_ID_TOKEN_REQUEST_TOKEN

For each secretRef (treated as the requested audience), the broker calls GET {URL}&audience={key} with the bearer token, parses the response, and returns the signed JWT as a SecretView. The workload then exchanges that JWT via AssumeRoleWithWebIdentity / Workload Identity Federation / auth/jwt/login etc.

Selected in cellos-supervisor::composition::build_secret_broker when CELLOS_BROKER=github-oidc.

What it does NOT do:

  • It does not exchange the JWT for cloud credentials — that is the workload's responsibility.
  • It does not implement revoke_for_cell; GitHub OIDC tokens are audience-scoped and short-lived (5 min), so revocation is unnecessary.
  • It does not surface a broker correlation ID today. GITHUB_RUN_ID is ambient but the broker scopes itself to the token request only; broker_correlation_id returns None. A future revision may surface the OIDC jti claim once consumer tools converge on a urn:cellos:oidc:<jti> shape.

Public API surface

Symbol Purpose
GithubActionsOidcBroker The broker. new() returns Err if the GHA env vars are missing.
DEFAULT_REQUEST_TIMEOUT_MS / ENV_REQUEST_TIMEOUT_MS 30 s default request timeout; overridable.
DEFAULT_CONNECT_TIMEOUT_MS / ENV_CONNECT_TIMEOUT_MS 10 s default connect timeout; overridable.
resolve_timeout_ms(env_var, default_ms) Pure helper: parse a positive u64 ms from env, else default.

Source: src/lib.rs.

Configuration

Selection:

CELLOS_BROKER=github-oidc

Provided by the GitHub Actions runner (do not set yourself):

ACTIONS_ID_TOKEN_REQUEST_URL=<runner-supplied>
ACTIONS_ID_TOKEN_REQUEST_TOKEN=<runner-supplied>

Optional bounded timeouts:

Env var Default
CELLOS_BROKER_OIDC_TIMEOUT_MS 30 000
CELLOS_BROKER_OIDC_CONNECT_TIMEOUT_MS 10 000

The reqwest client is never built without explicit timeouts — a black-holed Actions endpoint cannot stall the secret-resolve phase.

Cell-spec contract:

identity:
  audience: sts.amazonaws.com   # the OIDC `aud` claim
authority:
  secretRefs:
    - AWS_WEB_IDENTITY            # logical alias the workload reads

Examples

GitHub Actions workflow:

permissions:
  id-token: write
  contents: read

steps:
  - run: |
      export CELLOS_BROKER=github-oidc
      cellos-supervisor --spec cell.yaml

Testing

cargo test -p cellos-broker-oidc

Related crates

  • cellos-broker-env / cellos-broker-file — non-federated brokers.
  • cellos-broker-vault — Vault AppRole for non-GitHub deployments.
  • cellos-supervisor — selects this broker via CELLOS_BROKER.
  • cellos-core — defines the SecretBroker port and SecretView.

Operator note: tracing

reqwest can emit bearer tokens at TRACE level. Every CellOS binary that initializes tracing wires cellos_core::observability::redacted_filter into the fmt layer so RUST_LOG=reqwest=trace (or any wildcard pulling the HTTP stack in at trace) cannot leak the GitHub OIDC bearer token to stderr. Do not bypass this filter in custom tracing-init paths.

ADRs

  • ADR-0007 — RBAC and secretRef admission contract; OIDC token exchange is the production-leaning path.