Skip to content

Commit

Permalink
New OIDC README section
Browse files Browse the repository at this point in the history
  • Loading branch information
rgharris committed Dec 3, 2024
1 parent 834223d commit 6cbd2f2
Showing 1 changed file with 28 additions and 3 deletions.
31 changes: 28 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ This action enables you to fetch Doppler secrets for use in your GitHub Actions.
The action can be configured in two ways:

* Service Token (recommended)
* Service Account Token with Project and Config
* Service Account with Project and Config

### Service Token

Expand All @@ -26,9 +26,13 @@ Then supply the Service Token using the `doppler-token` input:
doppler-token: ${{ secrets.DOPPLER_TOKEN }}
```
### Service Account Token
### Service Account
A Doppler Service Account Token allows for a configurable set of permissions to services in your workplace. The `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Token:
A Doppler Service Account allows for a configurable set of permissions to services in your workplace. A project and config must be specified when using a Service Account.
#### Service Account Token
The `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Token:

```yaml
- uses: dopplerhq/[email protected]
Expand All @@ -39,6 +43,27 @@ A Doppler Service Account Token allows for a configurable set of permissions to
doppler-config: ci-cd
```

#### Service Account Identity via OIDC

[Identities](https://docs.doppler.com/docs/service-account-identities) allow a service account to authenticate to Doppler via OIDC without using a static API token. This method works like the Service Account Token method above but without a static API token.

The `auth-method`, `doppler-identity-id`, `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Identity. The permission `id-token: write` is required so that Doppler can obtain an OIDC token from Github for authentication.

```yaml
jobs:
your-example-job:
permissions:
id-token: write # required for obtaining the OIDC JWT from Github
steps:
- uses: dopplerhq/[email protected]
id: doppler
with:
auth-method: oidc
doppler-identity-id: <your-service-account-identity-uuid>
doppler-project: auth-api
doppler-config: ci-cd
```

## Usage

Secrets can be accessed in two ways:
Expand Down

0 comments on commit 6cbd2f2

Please sign in to comment.