{"id":51015651,"url":"https://github.com/vbem/configure-huawei-cloud-credentials","last_synced_at":"2026-06-21T10:01:33.349Z","repository":{"id":363068554,"uuid":"1261852754","full_name":"vbem/configure-huawei-cloud-credentials","owner":"vbem","description":"๐ŸŒผ Configure Huawei Cloud Credentials via OIDC for GitHub Actions","archived":false,"fork":false,"pushed_at":"2026-06-07T08:38:12.000Z","size":3,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-07T10:21:18.300Z","etag":null,"topics":["actions","huawei","huaweicloud","oidc"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vbem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-07T08:33:38.000Z","updated_at":"2026-06-07T08:41:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/vbem/configure-huawei-cloud-credentials","commit_stats":null,"previous_names":["vbem/configure-huawei-cloud-credentials"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/vbem/configure-huawei-cloud-credentials","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fconfigure-huawei-cloud-credentials","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fconfigure-huawei-cloud-credentials/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fconfigure-huawei-cloud-credentials/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fconfigure-huawei-cloud-credentials/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vbem","download_url":"https://codeload.github.com/vbem/configure-huawei-cloud-credentials/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vbem%2Fconfigure-huawei-cloud-credentials/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34605335,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","huawei","huaweicloud","oidc"],"created_at":"2026-06-21T10:01:30.732Z","updated_at":"2026-06-21T10:01:33.341Z","avatar_url":"https://github.com/vbem.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# ๐ŸŒผ Configure Huawei Cloud short-lived credentials via OIDC for GitHub Actions\n\n[![๐Ÿงช Testing](https://github.com/vbem/configure-huawei-cloud-credentials/actions/workflows/test.yml/badge.svg)](https://github.com/vbem/configure-huawei-cloud-credentials/actions/workflows/test.yml)\n[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/vbem/configure-huawei-cloud-credentials?label=Release\u0026logo=github)](https://github.com/vbem/configure-huawei-cloud-credentials/releases)\n[![Marketplace](https://img.shields.io/badge/GitHub%20Actions-Marketplace-blue?logo=github)](https://github.com/marketplace/actions/configure-huawei-cloud-credentials)\n\n## About\n\nโš ๏ธโš ๏ธโš ๏ธ ***This action will become publicly available in August 2026, after Huawei Cloud releases the IAM/STS v5 OIDC APIs.***\n\n\u003cdiv align=\"center\"\u003e\n \u003cimg src=\"https://docs.github.com/assets/cb-63262/mw-1440/images/help/actions/oidc-architecture.webp\" width=\"600\" alt=\"OIDC Architecture\"\u003e\n\u003c/div\u003e\n\nHuawei Cloud does not currently provide an official GitHub Action for OIDC-based credentials. This action fills that gap by configuring [temporary credentials](https://support.huaweicloud.com/usermanual-iam5/iam_01_1236.html) (**Access Key ID / Secret Access Key / Security Token**) for GitHub Actions, using a [GitHub OIDC token](https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers) exchanged with Huawei Cloud Security Token Service (STS). Workflows can access Huawei Cloud resources without storing long-lived *Access Key ID / Secret Key* pairs in GitHub Secrets. Comparable actions for other clouds and platforms include:\n\n- [`aws-actions/configure-aws-credentials`](https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions)\n- [`azure/login`](https://github.com/marketplace/actions/azure-login)\n- [`google-github-actions/auth`](https://github.com/marketplace/actions/authenticate-to-google-cloud)\n- [`aliyun/configure-aliyun-credentials-action`](https://github.com/marketplace/actions/configure-alibaba-cloud-credentials-action-for-github-actions)\n- [`everpcpc/tencentcloud-oidc-auth`](https://github.com/marketplace/actions/authenticate-to-tencent-cloud)\n- [`hashicorp/vault-action`](https://github.com/marketplace/actions/hashicorp-vault)\n- [`jfrog/setup-jfrog-cli`](https://github.com/marketplace/actions/setup-jfrog-cli)\n- [`pypa/gh-action-pypi-publish`](https://github.com/marketplace/actions/pypi-publish)\n\n## Example Usage\n\n```yaml\njobs:\n example:\n runs-on: ubuntu-slim\n timeout-minutes: 1\n defaults: {run: {shell: bash}}\n permissions: {id-token: write, contents: read}\n\n steps:\n - name: ๐Ÿ”‘ Generate Huawei Cloud temporary credentials\n id: creds\n uses: vbem/configure-huawei-cloud-credentials@main\n with:\n provider-urn: iam::\u003caccount-id\u003e:oidcProvider:\u003cprovider-name\u003e\n agency-urn: iam::\u003caccount-id\u003e:agency:\u003cagency-name\u003e\n\n - name: ๐Ÿ” Print outputs of previous step\n env: {STEP_OUTPUTS: \"${{ toJson(steps.creds.outputs) }}\"}\n run: jq -C \u003c\u003c\u003c\u003c\"$STEP_OUTPUTS\"\n\n - name: ๐Ÿ–ฅ๏ธ Setup Huawei Cloud KooCLI for testing\n uses: vbem/setup-hcloud@main\n\n - name: ๐Ÿงช Test temporary credentials using KooCLI\n run: |-\n hcloud sts GetCallerIdentity --cli-region=cn-east-3 \\\n --cli-access-key=\"${HUAWEICLOUD_SDK_AK}\" \\\n --cli-secret-key=\"${HUAWEICLOUD_SDK_SK}\" \\\n --cli-security-token=\"${HUAWEICLOUD_SDK_SECURITY_TOKEN}\" \\\n | jq -C\n```\n\nNotes:\n\n1. The workflow must [grant `id-token: write` permission](https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers#adding-permissions-settings) so GitHub Actions can issue an OIDC token for this action.\n1. This [composite action](https://docs.github.com/en/actions/concepts/workflows-and-actions/custom-actions) requires `bash`, `curl`, and `jq`. These tools are [pre-installed](https://github.com/actions/runner-images/tree/main/images) on the official Unix-like GitHub-hosted runners.\n\n## Inputs\n\nID | Type | Default | Description\n--- | --- | --- | ---\n`provider-urn` | String | Required | The Huawei Cloud IAM v5 OIDC provider URN, in the format `iam::\u003caccount-id\u003e:oidcProvider:\u003cprovider-name\u003e`.\n`agency-urn` | String | Required | The Huawei Cloud IAM v5 agency URN to assume, in the format `iam::\u003caccount-id\u003e:agency:\u003cagency-name\u003e`.\n`audience` | String | `sts.huaweicloud.com` | The audience for the GitHub OIDC token.\n`session-name` | String | `GitHubActions` | The agency session name.\n`duration-seconds` | Number | `900` | The agency session duration, from `900` seconds (15 minutes) to `43200` seconds (12 hours).\n`export-env` | Boolean | `true` | Whether to export the [temporary credentials as environment variables](https://github.com/huaweicloud/huaweicloud-sdk-java-v3#241-environment-variables-top) for subsequent workflow steps.\n`env-ak-name` | String | `HUAWEICLOUD_SDK_AK` | The environment variable name used to export the Access Key ID.\n`env-sk-name` | String | `HUAWEICLOUD_SDK_SK` | The environment variable name used to export the Secret Access Key.\n`env-st-name` | String | `HUAWEICLOUD_SDK_SECURITY_TOKEN` | The environment variable name used to export the Security Token.\n`sts-region` | String | `cn-north-4` | The [Huawei Cloud STS API region](https://support.huaweicloud.com/api-iam5/iam_02_1101.html) to use.\n\n## Outputs\n\nID | Type | Description | Example\n--- | --- | --- | ---\n`ak` | String | Access Key ID for the temporary credential. | `HSTANO...........`\n`sk` | String | Secret Access Key for the temporary credential. | `EoWCQrr...........`\n`st` | String | Security Token for the temporary credential. | `hQpjbi1...........`\n`expiration` | Datetime | Expiration time for the temporary credential, in RFC 3339 format. | `2026-09-07T03:27:51.158Z`\n`urn` | String | The assumed agency URN. | `sts::\u003caccount-id\u003e::assumed-agency:\u003cagency-name\u003e/\u003csession-name\u003e`\n`id` | String | The assumed agency ID. | `\u003cagency-id\u003e:\u003csession-name\u003e`\n\n## Huawei Cloud IAM v5 Configuration\n\nBefore using this action, set up an OIDC provider and agency in Huawei Cloud [IAM v5](https://support.huaweicloud.com/productdesc-iam5/iam_01_1105.html). Legacy [IAM v3](https://support.huaweicloud.com/iam/index.html) does not support OIDC-based agency federation and cannot be used with this action.\n\nFor [***IAM Identity Provider***](https://console.huaweicloud.com/iam5/#/idp), the following settings are recommended:\n\nName | Recommended Value | Description\n--- | --- | ---\nType | `OIDC` | The identity provider type.\nIdentity Provider Name | `github_com` | A name that identifies github.com or a GHES instance as the provider.\nIdentity Provider URL | `https://token.actions.githubusercontent.com` | The [OIDC token issuer for github.com](https://docs.github.com/en/actions/reference/security/oidc). For [GitHub Enterprise Server (GHES)](https://docs.github.com/en/enterprise-server@latest/actions/reference/security/oidc), use `https://GHES_HOSTNAME/_services/token`.\nAudience | `sts.huaweicloud.com` | The [OIDC token audience](https://docs.github.com/en/actions/reference/security/oidc). It must match the `audience` input of this action.\nDescription | The URL of this action | Helps identify how this provider is used.\n\nFor [***IAM Agency***](https://support.huaweicloud.com/usermanual-iam5/iam_01_0915.html), the following settings are recommended:\n\nName | Recommended Value | Description\n--- | --- | ---\nAgency Name | `gh-\u003cusage-desc\u003e` | A name that identifies this agency's purpose, e.g. `gh-terraform-foobar-prod`.\nAgency Type | Custom trust policy | A custom trust policy can bind the agency to a specific OIDC provider and define flexible trust conditions.\nDescription | The URL of the OIDC identity provider | Helps identify how this agency is used.\nAuthorized Policies | As needed | Attach only the least-privilege [policies](https://support.huaweicloud.com/usermanual-iam5/iam_01_1159.html) required for your use case.\n\nAn [IAM agency's ***Trust Policy***](https://support.huaweicloud.com/usermanual-iam5/iam_01_0915.html#section2) controls who can assume the agency and under what conditions. The sample below allows GitHub Actions workflows in a specific repository to assume the agency. You can further restrict the [`oidc:sub` claim](https://docs.github.com/en/actions/reference/security/oidc#example-subject-claims) by organization, repository, branch, tag, environment, or other workflow context. Note that GitHub's [*Immutable Subject Claims* feature](https://docs.github.com/en/actions/reference/security/oidc#immutable-subject-claims) may change the `oidc:sub` format on github.com, but not on GHES, for repositories created, renamed, or transferred after July 15, 2026. Existing repositories can enable or disable this feature at the repository level in the GitHub UI (Settings \u003e Actions \u003e OIDC \u003e Use immutable subject claim).\n\n```jsonc\n{\n \"Version\": \"5.0\",\n \"Statement\": [\n {\n \"Action\": [\"sts:agencies:assumeWithOIDC\"],\n \"Effect\": \"Allow\",\n \"Condition\": {\n \"StringLike\": {\n // `oidc:sub` supports org/repo/branch/tag/environment/etc.\n \"oidc:sub\": \"repo:\u003cgithub-owner-or-org\u003e/\u003cgithub-repo-id\u003e:*\"\n },\n \"StringEquals\": {\n // `oidc:aud` must match `audience`\n \"oidc:aud\": [\"sts.huaweicloud.com\"],\n // `oidc:iss` must match the OIDC token issuer\n \"oidc:iss\": [\"https://token.actions.githubusercontent.com\"]\n }\n },\n \"Principal\": {\n // `Federated` must match the OIDC provider URN\n \"Federated\": [\"\u003cOIDC-provider-URN\u003e\"]\n }\n }\n ]\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvbem%2Fconfigure-huawei-cloud-credentials","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvbem%2Fconfigure-huawei-cloud-credentials","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvbem%2Fconfigure-huawei-cloud-credentials/lists"}