From 99a4d429010d62f589f1358262032a261d2a3039 Mon Sep 17 00:00:00 2001
From: Martin Lopes <martin389@github.com>
Date: Wed, 27 Oct 2021 04:04:04 +1000
Subject: [PATCH] [Oct 26, 2021] Deployments: Authenticating with OpenID
 Connect (#21775)

Co-authored-by: John Bohannon <imjohnbo@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: hubwriter <hubwriter@github.com>
---
 ...ing-to-amazon-elastic-container-service.md |   2 +-
 .../deploying-to-azure-app-service.md         |   2 +-
 ...-security-hardening-with-openid-connect.md |   9 +-
 ...g-openid-connect-in-amazon-web-services.md | 104 ++++++++++++++++++
 .../configuring-openid-connect-in-azure.md    | 100 +++++++++++++++++
 ...uring-openid-connect-in-cloud-providers.md |  10 +-
 ...openid-connect-in-google-cloud-platform.md |  99 +++++++++++++++++
 ...uring-openid-connect-in-hashicorp-vault.md |  93 ++++++++++++++++
 .../index.md                                  |   4 +
 .../actions/about-oidc-short-overview.md      |   2 +-
 10 files changed, 415 insertions(+), 10 deletions(-)
 create mode 100644 content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
 create mode 100644 content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
 create mode 100644 content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md
 create mode 100644 content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md

diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md
index 9e8b19318fc5..1c03182c7d0c 100644
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-amazon-elastic-container-service.md
@@ -31,7 +31,7 @@ On every new push to `main` in your {% data variables.product.company_short %} r
 
 {% note %}
 
-**Note**: {% data reusables.actions.about-oidc-short-overview %}
+**Note**: {% data reusables.actions.about-oidc-short-overview %} and ["Configuring OpenID Connect in Amazon Web Services"](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services).
 
 {% endnote %}
 
diff --git a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure-app-service.md b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure-app-service.md
index 454e6f4d0a8d..130831e256cd 100644
--- a/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure-app-service.md
+++ b/content/actions/deployment/deploying-to-your-cloud-provider/deploying-to-azure-app-service.md
@@ -31,7 +31,7 @@ Azure App Service can run web apps in several languages, but this guide demonstr
 
 {% note %}
 
-**Note**: {% data reusables.actions.about-oidc-short-overview %}
+**Note**: {% data reusables.actions.about-oidc-short-overview %} and "[Configuring OpenID Connect in Azure](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)."
 
 {% endnote %}
 
diff --git a/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md b/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
index 6b2291787c7b..ebc41cab9224 100644
--- a/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
+++ b/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
@@ -224,6 +224,13 @@ You can now update your YAML workflows to use OIDC access tokens instead of secr
 
 ## Enabling OpenID Connect for your cloud provider
 
-To enable and configure OIDC for your cloud provider, see the following guide:
+To enable and configure OIDC for your specific cloud provider, see the following guides:
+
+- ["Configuring OpenID Connect in Amazon Web Services"](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
+- ["Configuring OpenID Connect in Azure"](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure)
+- ["Configuring OpenID Connect in Google Cloud Platform"](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform)
+- ["Configuring OpenID Connect in Hashicorp Vault"](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault)
+
+To enable and configure OIDC for another cloud provider, see the following guide:
 
 - ["Configuring OpenID Connect in cloud providers"](/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers)
diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
new file mode 100644
index 000000000000..a51d7e08b706
--- /dev/null
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -0,0 +1,104 @@
+---
+title: Configuring OpenID Connect in Amazon Web Services
+shortTitle: Configuring OpenID Connect in Amazon Web Services
+intro: 'Use OpenID Connect within your workflows to authenticate with Amazon Web Services.'
+miniTocMaxHeadingLevel: 3
+versions:
+  fpt: '*'
+  ghae: 'issue-4856'
+  ghec: '*'
+type: tutorial
+topics:
+  - Security
+---
+
+{% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+## Overview
+
+OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived {% data variables.product.prodname_dotcom %} secrets. 
+
+This guide explains how to configure AWS to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the [`aws-actions/configure-aws-credentials`](https://github.com/aws-actions/configure-aws-credentials) that uses tokens to authenticate to AWS and access resources.
+
+## Prerequisites
+
+{% data reusables.actions.oidc-link-to-intro %}
+
+{% data reusables.actions.oidc-security-notice %}
+
+## Adding the identity provider to AWS
+
+To add the {% data variables.product.prodname_dotcom %} OIDC provider to IAM, see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html).
+
+- For the provider URL: Use `https://token.actions.githubusercontent.com`
+- For the "Audience": Use `sts.amazonaws.com` if you are using the [official action](https://github.com/aws-actions/configure-aws-credentials).
+
+### Configuring the role and trust policy
+
+To configure the role and trust in IAM, see the AWS documentation for ["Assuming a Role"](https://github.com/aws-actions/configure-aws-credentials#assuming-a-role) and ["Creating a role for web identity or OpenID connect federation"](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html).
+
+By default, the validation only includes the audience (`aud`) condition, so you must manually add a subject (`sub`) condition. Edit the trust relationship to add the `sub` field to the validation conditions. For example:
+
+```yaml{:copy}
+"Condition": {
+  "StringEquals": {
+    "token.actions.githubusercontent.com:aud": "https://github.com/octo-org",
+    "token.actions.githubusercontent.com:sub": "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
+```
+
+## Updating your {% data variables.product.prodname_actions %} workflow
+
+To update your workflows for OIDC, you will need to make two changes to your YAML:
+1. Add permissions settings for the token.
+2. Use the [`aws-actions/configure-aws-credentials`](https://github.com/aws-actions/configure-aws-credentials) action to exchange the OIDC token (JWT) for a cloud access token.
+
+### Adding permissions settings
+
+The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
+
+```yaml{:copy}
+permissions:
+  id-token: write
+```
+
+You may need to specify additional permissions here, depending on your workflow's requirements. 
+
+### Requesting the access token
+
+The `aws-actions/configure-aws-credentials` action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from AWS. For more information, see the AWS [documentation](https://github.com/aws-actions/configure-aws-credentials).
+
+- `<example-bucket-name>`: Add the name of your S3 bucket here.
+- `<role-to-assume>`: Replace the example with your AWS role.
+- `<example-aws-region>`: Add the name of your AWs region here.
+
+```yaml{:copy}
+# Sample workflow to access AWS resources when workflow is tied to branch
+# The workflow Creates static website using aws s3
+name: AWS example workflow
+on:
+  push
+env:
+  BUCKET_NAME : "<example-bucket-name>"
+  AWS_REGION : "<example-aws-region>"
+# permission can be added at job level or workflow level    
+permissions:
+      id-token: write
+      contents: write    # This is required for actions/checkout@v1
+jobs:
+  S3PackageUpload:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone the repository
+        uses: actions/checkout@v1
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::1234567890:role/example-role
+          role-session-name: samplerolesession
+          aws-region: ${{ env.AWS_REGION }}
+      # Upload a file to AWS s3
+      - name:  Copy index.html to s3
+        run: |
+          aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/
+```
diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
new file mode 100644
index 000000000000..b2a5a6809afb
--- /dev/null
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
@@ -0,0 +1,100 @@
+---
+title: Configuring OpenID Connect in Azure
+shortTitle: Configuring OpenID Connect in Azure
+intro: 'Use OpenID Connect within your workflows to authenticate with Azure.'
+miniTocMaxHeadingLevel: 3
+versions:
+  fpt: '*'
+  ghae: 'issue-4856'
+  ghec: '*'
+type: tutorial
+topics:
+  - Security
+---
+
+{% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+## Overview
+
+OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to access resources in Azure, without needing to store the Azure credentials as long-lived {% data variables.product.prodname_dotcom %} secrets. 
+
+This guide gives an overview of how to configure Azure to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the [`azure/login`](https://github.com/Azure/login) action that uses tokens to authenticate to Azure and access resources.
+
+## Prerequisites
+
+{% data reusables.actions.oidc-link-to-intro %}
+
+{% data reusables.actions.oidc-security-notice %}
+
+## Adding the Federated Credentials to Azure
+
+{% data variables.product.prodname_dotcom %}'s OIDC provider works with Azure's workload identity federation. For an overview, see Microsoft's documentation at "[Workload identity federation](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation)."
+
+To configure the OIDC identity provider in Azure, you will need to perform the following configuration. For instructions on making these changes, refer to [the Azure documentation](https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure).
+
+1. Create an Active Directory application and a service principal.
+2. Add federated credentials for the Active Directory application.
+3. Create {% data variables.product.prodname_dotcom %} secrets for storing Azure configuration.
+
+Additional guidance for configuring the identity provider:
+
+- For security hardening, make sure you've reviewed ["Configuring the OIDC trust with the cloud"](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud). For an example, see ["Configuring the subject in your cloud provider"](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider).
+- For the `audience` setting,  `api://AzureADTokenExchange` is the recommended value, but you can also specify other values here.
+
+## Updating your {% data variables.product.prodname_actions %} workflow
+
+To update your workflows for OIDC, you will need to make two changes to your YAML:
+1. Add permissions settings for the token.
+2. Use the [`azure/login`](https://github.com/Azure/login) action to exchange the OIDC token (JWT) for a cloud access token.
+
+### Adding permissions settings
+
+The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
+
+```yaml{:copy}
+permissions:
+  id-token: write
+```
+
+You may need to specify additional permissions here, depending on your workflow's requirements. 
+
+### Requesting the access token
+
+The [`azure/login`](https://github.com/Azure/login) action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from Azure. For more information, see the [`azure/login`](https://github.com/Azure/login) documentation.
+
+The following example exchanges an OIDC ID token with Azure to receive an access token, which can then be used to access cloud resources.
+
+```yaml{:copy}
+name: Run Azure Login with OpenID Connect
+on: [push]
+
+permissions:
+      id-token: write
+      
+jobs: 
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+        
+    - name: Installing CLI-beta for OpenID Connect
+      run: |
+        cd ../..
+        CWD="$(pwd)"
+        python3 -m venv oidc-venv
+        . oidc-venv/bin/activate
+        echo "activated environment"
+        python3 -m pip install -q --upgrade pip
+        echo "started installing cli beta"
+        pip install -q --extra-index-url https://azcliprod.blob.core.windows.net/beta/simple/ azure-cli
+        echo "***************installed cli beta*******************"
+        echo "$CWD/oidc-venv/bin" >> $GITHUB_PATH
+        
+    - name: 'Az CLI login'
+      uses: azure/login@v1.4.0
+      with:
+        client-id: {% raw %}${{ secrets.AZURE_CLIENTID }}{% endraw %}
+        tenant-id: {% raw %}${{ secrets.AZURE_TENANTID }}{% endraw %}
+        subscription-id: {% raw %}${{ secrets.AZURE_SUBSCRIPTIONID }}{% endraw %}
+```
+ 
\ No newline at end of file
diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md
index 12346c1ae2b1..4d8d1b37fa75 100644
--- a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md
@@ -37,17 +37,15 @@ If your cloud provider doesn't yet offer an official action, you can update your
 
 ### Adding permissions settings
 
-The workflow will likely require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. For example:
-
-```yaml
-name: Example deployment workflow
-on:
-  workflow_dispatch:
+The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
 
+```yaml{:copy}
 permissions:
   id-token: write
 ```
 
+You may need to specify additional permissions here, depending on your workflow's requirements. 
+
 ### Using official actions
 
 If your cloud provider has created an official action for using OIDC with {% data variables.product.prodname_actions %}, it will allow you to easily exchange the OIDC token for an access token. You can then update your workflows to use this token when accessing cloud resources.
diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md
new file mode 100644
index 000000000000..0109d1217625
--- /dev/null
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md
@@ -0,0 +1,99 @@
+---
+title: Configuring OpenID Connect in Google Cloud Platform
+shortTitle: Configuring OpenID Connect in Google Cloud Platform
+intro: 'Use OpenID Connect within your workflows to authenticate with Google Cloud Platform.'
+miniTocMaxHeadingLevel: 3
+versions:
+  fpt: '*'
+  ghae: 'issue-4856'
+  ghec: '*'
+type: tutorial
+topics:
+  - Security
+---
+
+{% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+## Overview
+
+OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to access resources in Google Cloud Platform (GCP), without needing to store the GCP credentials as long-lived {% data variables.product.prodname_dotcom %} secrets. 
+
+This guide gives an overview of how to configure GCP to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the [`google-github-actions/auth`](https://github.com/google-github-actions/auth) action that uses tokens to authenticate to GCP and access resources.
+
+## Prerequisites
+
+{% data reusables.actions.oidc-link-to-intro %}
+
+{% data reusables.actions.oidc-security-notice %}
+
+## Adding a Google Cloud Workload Identity Provider
+
+To configure the OIDC identity provider in GCP, you will need to perform the following configuration. For instructions on making these changes, refer to [the GCP documentation](https://github.com/google-github-actions/auth).
+
+1. Create a new identity pool.
+2. Configure the mapping and add conditions.
+3. Connect the new pool to a service account. 
+
+Additional guidance for configuring the identity provider:
+
+- For security hardening, make sure you've reviewed ["Configuring the OIDC trust with the cloud"](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud). For an example, see ["Configuring the subject in your cloud provider"](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-subject-in-your-cloud-provider).
+- For the service account to be available for configuration, it needs to be assigned to the `roles/iam.workloadIdentityUser` role. For more information, see [the GCP documentation](https://cloud.google.com/iam/docs/workload-identity-federation?_ga=2.114275588.-285296507.1634918453#conditions).
+- The Issuer URL to use: `https://token.actions.githubusercontent.com`
+
+## Updating your {% data variables.product.prodname_actions %} workflow
+
+To update your workflows for OIDC, you will need to make two changes to your YAML:
+1. Add permissions settings for the token.
+2. Use the [`google-github-actions/auth`](https://github.com/google-github-actions/auth) action to exchange the OIDC token (JWT) for a cloud access token.
+
+### Adding permissions settings
+
+The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
+
+```yaml{:copy}
+permissions:
+  id-token: write
+```
+
+You may need to specify additional permissions here, depending on your workflow's requirements. 
+
+### Requesting the access token
+
+The `google-github-actions/auth` action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from GCP. For more information, see the GCP [documentation](https://github.com/google-github-actions/auth).
+
+This example has a job called `Get_OIDC_ID_token` that uses actions to request a list of services from GCP.
+
+- `<example-workload-identity-provider>`: Replace this with the path to your identity provider in GCP. For example, `projects/<example-project-id>/locations/global/workloadIdentityPools/<name-of-pool/providers/<name-of-provider>`
+- `<example-service-account>`: Replace this with the name of your service account in GCP.
+- `<project-id>`: Replace this with the ID of your GCP project.
+
+This action exchanges a {% data variables.product.prodname_dotcom %} OIDC token for a Google Cloud access token, using [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation).
+
+```yaml{:copy}
+name: List services in GCP
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+
+jobs:
+  Get_OIDC_ID_token:
+    runs-on: ubuntu-latest
+    steps:
+    - id: 'auth'
+      name: 'Authenticate to GCP'
+      uses: 'google-github-actions/auth@v0.3.1'
+      with:
+          create_credentials_file: 'true'
+          workload_identity_provider: '<example-workload-identity-provider>'
+          service_account: '<example-service-account>'
+    - id: 'gcloud'
+      name: 'gcloud'
+      run: |-
+        gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
+        gcloud config list
+```
diff --git a/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md
new file mode 100644
index 000000000000..c7154482c1c1
--- /dev/null
+++ b/content/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md
@@ -0,0 +1,93 @@
+---
+title: Configuring OpenID Connect in HashiCorp Vault
+shortTitle: Configuring OpenID Connect in HashiCorp Vault
+intro: 'Use OpenID Connect within your workflows to authenticate with HashiCorp Vault.'
+miniTocMaxHeadingLevel: 3
+versions:
+  fpt: '*'
+  ghae: 'issue-4856'
+  ghec: '*'
+type: tutorial
+topics:
+  - Security
+---
+
+{% data reusables.actions.enterprise-beta %}
+{% data reusables.actions.enterprise-github-hosted-runners %}
+
+## Overview
+
+OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to authenticate with a HashiCorp Vault to retrieve secrets.
+
+This guide gives an overview of how to configure HashiCorp Vault to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and demonstrates how to use this configuration in [`hashicorp/vault-action`](https://github.com/hashicorp/vault-action) to retrieve secrets from HashiCorp Vault.
+
+## Prerequisites
+
+{% data reusables.actions.oidc-link-to-intro %}
+
+{% data reusables.actions.oidc-security-notice %}
+
+## Adding the identity provider to HashiCorp Vault
+
+To use OIDC with HashiCorp Vault, you will need to add a trust configuration for the {% data variables.product.prodname_dotcom %} OIDC provider. For more information, see the HashiCorp Vault [documentation](https://www.vaultproject.io/docs/auth/jwt).
+
+Configure the vault to accept JSON Web Tokens (JWT) for authentication:
+- For the `oidc_discovery_url`, use `https://token.actions.githubusercontent.com`
+- For `bound_issuer`, use `https://token.actions.githubusercontent.com`
+- Ensure that `bound_subject` is correctly defined for your security requirements. For more information, see ["Configuring the OIDC trust with the cloud"](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud) and [`hashicorp/vault-action`](https://github.com/hashicorp/vault-action).
+
+## Updating your {% data variables.product.prodname_actions %} workflow
+
+To update your workflows for OIDC, you will need to make two changes to your YAML:
+1. Add permissions settings for the token.
+2. Use the [`hashicorp/vault-action`](https://github.com/hashicorp/vault-action) action to exchange the OIDC token (JWT) for a cloud access token.
+
+
+To add OIDC integration to your workflows that allow them to access secrets in Vault, you will need to add the following code changes:
+
+- Grant permission to fetch the token from the {% data variables.product.prodname_dotcom %} OIDC provider:
+  - The workflow needs `permissions:` settings with the `id-token` value set to `write`. This lets you fetch the OIDC token from every job in the workflow.
+- Request the JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and present it to HashiCorp Vault to receive an access token:
+  - You could use the [Actions toolkit](https://github.com/actions/toolkit/) to fetch the tokens for your job, or you can use the [`hashicorp/vault-action`](https://github.com/hashicorp/vault-action) action to fetch the JWT and receive the access token from the Vault.
+
+This example demonstrates how to use OIDC with the official action to request a secret from HashiCorp Vault.
+
+### Adding permissions settings
+
+The workflow will require a `permissions` setting with a defined [`id-token`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) value. If you only need to fetch an OIDC token for a single job, then this permission can be set within that job. For example:
+
+```yaml{:copy}
+permissions:
+  id-token: write
+```
+
+You may need to specify additional permissions here, depending on your workflow's requirements. 
+
+### Requesting the access token
+
+The `hashicorp/vault-action` action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from your HashiCorp Vault instance to retrieve secrets. For more information, see the HashiCorp Vault [documentation](https://github.com/hashicorp/vault-action).
+
+This example demonstrates how to create a job that requests a secret from HashiCorp Vault.
+
+- `<Vault URL>`: Replace this with the URL of your HashiCorp Vault.
+- `<Role name>`: Replace this with the role you've set in the HashiCorp Vault trust relationship.
+- `<Audience>`: Replace this with the audience you've defined in the HashiCorp Vault trust relationship.
+- `<Secret-Path>`: Replace this with the path to the secret you're retrieving from HashiCorp Vault. For example: `secret/data/ci npmToken`.
+
+```yaml{:copy}
+jobs:
+    retrieve-secret:
+        steps:
+            - name: Retrieve secret from Vault
+              uses: hashicorp/vault-action@v2.4.0
+              with:
+                url: <Vault URL>
+                role: <Role name>
+                method: jwt
+                jwtGithubAudience: <Audience>
+                secrets: <Secret-Path>
+                
+            - name: Use secret from Vault
+               run: |
+                 # This step has access to the secret retrieved above; see hashicorp/vault-action for more details.
+```
diff --git a/content/actions/deployment/security-hardening-your-deployments/index.md b/content/actions/deployment/security-hardening-your-deployments/index.md
index ce0745641975..58235d101fc8 100644
--- a/content/actions/deployment/security-hardening-your-deployments/index.md
+++ b/content/actions/deployment/security-hardening-your-deployments/index.md
@@ -8,6 +8,10 @@ versions:
   ghec: '*'
 children:
   - /about-security-hardening-with-openid-connect
+  - /configuring-openid-connect-in-amazon-web-services
+  - /configuring-openid-connect-in-azure
+  - /configuring-openid-connect-in-google-cloud-platform
+  - /configuring-openid-connect-in-hashicorp-vault
   - /configuring-openid-connect-in-cloud-providers
 ---
 
diff --git a/data/reusables/actions/about-oidc-short-overview.md b/data/reusables/actions/about-oidc-short-overview.md
index 2bf6834a7262..4da4c8f81aa2 100644
--- a/data/reusables/actions/about-oidc-short-overview.md
+++ b/data/reusables/actions/about-oidc-short-overview.md
@@ -1,2 +1,2 @@
 
-If your {% data variables.product.prodname_actions %} workflows need to access resources from a cloud provider that supports OpenID Connect (OIDC), you can configure your workflows to authenticate directly to the cloud provider. This will let you stop storing these credentials as long-lived secrets and provide other security benefits. For more information, see "[About security hardening with OpenID Connect](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)."
+If your {% data variables.product.prodname_actions %} workflows need to access resources from a cloud provider that supports OpenID Connect (OIDC), you can configure your workflows to authenticate directly to the cloud provider. This will let you stop storing these credentials as long-lived secrets and provide other security benefits. For more information, see "[About security hardening with OpenID Connect](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)"