Configure your Central login credentials for use in other GitHub Actions.
This action obtains an access token to a Red Hat Advanced Cluster Security (ACS) Central instance and configures environment variables for your other actions to use.
This is as simple as adding the following step to your workflow:
- name: Central Login
uses: stackrox/central-login@v1
with:
endpoint: https://<central-endpoint>:443| Parameter name | Required? | Description |
|---|---|---|
endpoint |
(required) | API endpoint of the ACS Central instance. |
skip-tls-verify |
(optional) | Skip TLS certificat verification for ACS Central's API endpoint. |
It is currently only supported to retrieve credentials by using GitHub's OIDC provider.
With GitHub's OIDC provider, this action will be issued with an ID token unique to this workflow run, which will then be exchanged for a ACS Central access token.
For creating the ID
token, it is required for your workflow to have the id-token: write permission:
permissions:
id-token: write # This is required for requesting the JWTBefore being able to exchange tokens, the ACS Central instance needs to be configured to allow exchanging tokens originating from GitHub Action workflow runs.
For more information on how to configure this, follow the RHACS documentation.
Below is a sample configuration via API you can use:
curl \
https://<central-endpoint>/v1/auth/m2m \
-d @- << EOF
{
"config": {
"type": "GITHUB_ACTIONS",
"tokenExpirationDuration": "5m", // This can be used to specify the expiration of the exchanged access token.
"mappings": [ // Mappings configure which token claims to map to which roles within the ACS Central instance.
{
"key": "sub",
"valueExpression": "repo:octo-org/octo-repo.*", // This supports https://github.com/google/re2/wiki/Syntax expressions.
"role": "Continuous Integration"
}
],
}
}
EOFRecommendations
- For specifics on the claim values on the ID tokens issued by GitHub's OIDC provider, check out this documentation.
- Make sure to map claim values specific to your repository. It is recommended to use the
subclaim for that. For more information about the subject claim's structure for tokens issued by GitHub's OIDC provider, check out this documentation.
After the ACS Central instance has been configured to allow exchanging tokens from GitHub Action workflow runs, you can add the following step to your workflow:
- name: Central Login
uses: stackrox/central-login@v1
with:
endpoint: https://<central-endpoint>:443After the central login step has succeeded, the following environment variables are configured for other steps to use:
ROX_API_TOKENwhich contains the exchanged access token for the ACS Central instance.ROX_ENDPOINTwhich contains the ACS Central instance endpoint correlated with the access token.
For verifying everything works correctly, the example below can be used:
- name: Login to Central
uses: stackrox/central-login@v1
with:
endpoint: https://<central-endpoint>:443
- name: Install roxctl from Central
uses: stackrox/roxctl-installer-action@v1
with:
central-endpoint: https://${{ env.ROX_ENDPOINT }}
central-token: ${{ env.ROX_API_TOKEN }}
- name: roxctl central whoami
run: |
roxctl central whoamiThis will output the specifics about the access token (i.e. it's associated permissions and roles) as well as the originating user.