Open ID Connect (OIDC) for GHEC Audit Log Streaming to Azure Blob Storage

[github-product-roadmap]

Summary

Today, GitHub’s audit log streaming feature requires storage of cloud secrets in GitHub when configuring your stream. Going forward, the audit log feature will support OpenID Connect (OIDC) for streaming partners. OIDC allows for the use of short-lived tokens that are automatically rotated for each configuration.

Intended Outcome

• With the new OpenID Connect (OIDC) support, you can stream to one of our five streaming partners
• OpenID token exchange eliminates the need for storing any long-lived cloud secrets in GitHub
• Enterprise owners can use the security mechanisms of their cloud provider to ensure minimal access to cloud resources

How will it work?

OIDC will establish an identity layer between GitHub and Azure for the purposes of authenticating GitHub to stream audit log events to a specified Azure blob. Enterprise owners will establish trust with the GitHub audit log application and assign audit log a role with write permissions to the Azure blob. When streaming GitHub events via audit log streaming, GitHub will authenticate the cloud role and the Github audit log identity using short lived tokens.

[ankneis]

This issue is being closed as outdated. For more information, please check out this Discussion post. Stay tuned for new additions to our refreshed public roadmap!