OIDC provider

Overview

OpenID Connect (OIDC) allows the Humanitec Platform Orchestrator to access a customer’s cloud resources without storing any static credentials, and using short-lived temporary credentials instead.

The Platform Orchestrator maintains its own OIDC provider. You can configure your cloud IAM to trust that provider, and prepare identities which the provider may assume (identity federation). The Platform Orchestrator may then act on cloud resources within the limits of the permissions you have granted to these identities.

The OIDC mechanism is used within the context of Platform Orchestrator Cloud Accounts. A Cloud Account makes the federated identity available to Drivers supporting the respective Cloud Account type.

These Cloud Account types make use of OIDC:

The Humanitec Platform Orchestrator OIDC issuer URL is https://idtoken.humanitec.io.

The discovery endpoint is therefore https://idtoken.humanitec.io/.well-known/openid-configuration.

Architecture

When the Platform Orchestrator needs to obtain temporary credentials to access a customer’s cloud resources, it initiates this flow:

The Humanitec OIDC provider

  1. The Platform Orchestrator generates a signed ID token and sends it to the target cloud IAM service
  2. The IAM service validates the signature with a call to the Humanitec OIDC issuer
  3. Upon successful validation, the IAM service issues an access token back to the Platform Orchestrator
  4. The Orchestrator uses the access token to access cloud resources
Top