OIDC provider

Overview #

OpenID Connect (OIDC) allows the Humanitec Platform Orchestrator to access a customer’s cloud resources without storing any static credentials, and using short-lived temporary (“dynamic”) credentials instead.

The Platform Orchestrator maintains its own OIDC provider. You can configure your cloud IAM to trust that provider, and prepare identities which the provider may assume (identity federation). The Platform Orchestrator may then act on cloud resources within the limits of the permissions you have granted to these identities.

The OIDC mechanism is used within the context of Platform Orchestrator Cloud Accounts. A Cloud Account makes the federated identity available to Drivers supporting the respective Cloud Account type.

These Cloud Account types make use of OIDC:

• Azure workload identity federation
• GCP service account impersonation

The Humanitec Platform Orchestrator OIDC issuer URL is https://idtoken.humanitec.io.

The discovery endpoint is therefore https://idtoken.humanitec.io/.well-known/openid-configuration.

Architecture #

When the Platform Orchestrator needs to obtain temporary credentials to access a customer’s cloud resources, it initiates this flow:

1. The Platform Orchestrator generates a signed ID token and sends it to the target cloud IAM service
2. The IAM service validates the signature with a call to the Humanitec OIDC issuer
3. Upon successful validation, the IAM service issues an access token back to the Platform Orchestrator
4. The Orchestrator uses the access token to access cloud resources