AI Docs Bundle
Join Our Community Slack Contact
Octo STS

Octo STS Overview

Learn about Octo STS, an open source security token service for GitHub that uses OIDC federation to eliminate long-lived Personal Access Tokens
  2 min read
octo-sts Overview OIDC Security

Octo STS is a GitHub App developed by Chainguard that acts as a Security Token Service (STS) for the GitHub API. It enables workloads running anywhere that can produce OIDC tokens to federate with GitHub, exchanging those tokens for short-lived GitHub access tokens. The primary goal is to eliminate the need for GitHub Personal Access Tokens (PATs), which are long-lived credentials that pose significant security risks.

Why Octo STS Matters

Long-lived access tokens are a common target in security incidents. When attackers gain access to a PAT, they can exploit it to access repositories, make changes, and pivot to other resources. These tokens often have broad permissions and no expiration date, making them particularly dangerous if compromised.

Octo STS addresses this problem by:

  • Eliminating long-lived credentials: No more PATs that sit around indefinitely
  • Enabling OIDC federation: Leverage existing identity providers to authenticate workloads
  • Providing short-lived tokens: Generated tokens expire automatically
  • Implementing fine-grained access control: Grant only the permissions needed for specific tasks
  • Supporting multiple identity providers: Works with GitHub Actions, cloud providers (AWS, GCP, Azure), Kubernetes, and any OIDC-compliant system

How Octo STS Works

Octo STS operates through a trust policy model. The steps to install and use Octo STS are:

  1. Install the GitHub App: Add the octo-sts GitHub App to your organization or repositories
  2. Define trust policies: Create policy files (.github/chainguard/{name}.sts.yaml) that specify which identities can access which resources
  3. Exchange tokens: Workloads present OIDC tokens to Octo STS
  4. Receive GitHub tokens: If the identity matches the trust policy, Octo STS issues a short-lived GitHub token with specified permissions

The Octo STS app needs to request a large number of permissions. This set of permissions is reviewed on a quarterly basis to ensure it meets common use cases without being overly broad.

The Token Exchange Process

This sequence diagram outlines the token exchange process in Octo STS:

Octo STS sequence diagram showing order of network requests

Common Use Cases

  • Developing Actions that create Pull Requests (a PAT is required to trigger presubmit GitHub Actions)

  • Developing Actions that interact across repositories (unsupported by built-in permissions)

  • Developing Actions that interact with the GitHub organization level

  • Providing external services (e.g. clouds) with access to repositories

Learn More

Refer to our Octo STS FAQ for answeres to frequently asked questions and troubleshooting recommendations.

You may also find these resources to be useful:

Related Articles

Octo STS FAQ

Learn about Octo STS for GitHub token federation, including setup issues, security best practices, and integration …

  6 min read

Understanding FIPS

Learn about FIPS standards, who needs FIPS validation, and the cryptographic module validation process

  6 min read

Last updated: 2025-12-24 15:04

chainctl version Prev   Octo STS FAQ   Next