- Home
- Platform Orchestrator
- Security
- OIDC provider
-
- Overview
-
- Overview
- Deploy your Application
- Manage your Java application
- Migrate an Application
- Provision Amazon S3 Buckets
- Deploy an Amazon S3 Resource to production
- Scaffold a new Workload and create staging and prod Environments
- Update Resource Definitions for related Applications
- Use existing Terraform modules
- Provision a Redis cluster on AWS using Terraform
- Perform daily developer activities (debug, rollback, diffs, logs)
- Deploy ephemeral Environments
-
-
OIDC provider
On this page
Overview #
OpenID Connect (OIDC) allows the Humanitec Platform Orchestrator to access a customer’s cloud resources without storing any static credentials, and using short-lived temporary credentials instead.
The Platform Orchestrator maintains its own OIDC provider. You can configure your cloud IAM to trust that provider, and prepare identities which the provider may assume (identity federation). The Platform Orchestrator may then act on cloud resources within the limits of the permissions you have granted to these identities.
The OIDC mechanism is used within the context of Platform Orchestrator Cloud Accounts. A Cloud Account makes the federated identity available to Drivers supporting the respective Cloud Account type.
These Cloud Account types make use of OIDC:
The Humanitec Platform Orchestrator OIDC issuer URL is https://idtoken.humanitec.io
.
The discovery endpoint is therefore https://idtoken.humanitec.io/.well-known/openid-configuration
.
Architecture #
When the Platform Orchestrator needs to obtain temporary credentials to access a customer’s cloud resources, it initiates this flow:
- The Platform Orchestrator generates a signed ID token and sends it to the target cloud IAM service
- The IAM service validates the signature with a call to the Humanitec OIDC issuer
- Upon successful validation, the IAM service issues an access token back to the Platform Orchestrator
- The Orchestrator uses the access token to access cloud resources