Merge pull request #192 from phasehq/feat--github-actions-auth

feat: GitHub actions auth

Author: nimish-ks

public/access-control.md

@@ -1,14 +1,20 @@
 import { Tag } from '@/components/Tag'
 import { HeroPattern } from '@/components/HeroPattern'
 import { UserAuthProviders } from '@/components/UserAuthProviders'
+import { DocActions } from '@/components/DocActions'
 
 export const description =
   'This guide explains how to authenticate with Phase and manage access with the Access Control system.'
 
 <HeroPattern />
 
+<Tag variant="small">ACCESS CONTROL</Tag>
+
 # Authentication & Access Control
 
+Learn how to authenticate with Phase and manage access with the Access Control system.
+
+<DocActions /> 
 
 ## Overview
 

public/access-control/authentication.md

@@ -2,6 +2,7 @@ import { Tag } from '@/components/Tag'
 import { HeroPattern } from '@/components/HeroPattern'
 import { UserAuthProviders } from '@/components/UserAuthProviders'
 import { ProgrammaticAuth } from '@/components/ProgrammaticAuth'
+import { DocActions } from '@/components/DocActions'
 
 export const description = 'Authenticating with Phase.'
 
@@ -13,6 +14,8 @@ export const description = 'Authenticating with Phase.'
 
 Phase supports third-party authentication systems for access control. You can delegate authentication and administration to external providers such as Google, AWS IAM, GitHub, Kubernetes, GitLab, or Microsoft Azure to best suit your setup. When choosing an authentication provider, consider whether the access to Phase will be programmatic (machine-access) via REST API, SDK, CLI, etc., or user access (human-access).
 
+<DocActions /> 
+
 ## User Authentication
 
 User authentication in Phase is designed for seamless and secure web access. Phase supports both OAuth 2.0 and OpenID Connect (OIDC) protocols for Single Sign-On (SSO), allowing organizations to leverage their existing identity providers like Google, GitHub, GitLab, and JumpCloud. We plan to extend support to SCIM (System for Cross-domain Identity Management), which will enable automatic synchronization of user directories with Phase, including automatic provisioning and deprovisioning of user accounts based on changes in your organization's primary identity system.

public/access-control/authentication/oauth-sso.md

@@ -1,10 +1,14 @@
 import { Tag } from '@/components/Tag'
+import { DocActions } from '@/components/DocActions'
+
 export const description = 'Authenticating via various OAuth Single sign-on providers with Phase.'
 
 <Tag variant="small">AUTHENTICATION</Tag>
 
 # OAuth 2.0 Single sign-on (SSO)
 
+<DocActions /> 
+
 ## Google
 
 Follow these steps to set up Google SSO for your Phase application:

public/access-control/authentication/oidc-sso.md

@@ -1,4 +1,5 @@
 import { Tag } from '@/components/Tag'
+import { DocActions } from '@/components/DocActions'
 
 export const description = 'Authenticating via various OIDC Single sign-on providers with Phase.'
 
@@ -8,6 +9,8 @@ export const description = 'Authenticating via various OIDC Single sign-on provi
 
 OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows applications to verify user identities. It enables secure authentication through trusted identity providers while eliminating the need for separate credentials. Phase supports OIDC-based SSO integration with major providers like Google, allowing seamless and secure access to your applications. Currently, OIDC authentication can be set up only for a Self-hosted Phase deployment.
 
+<DocActions /> 
+
 <Note>
  OIDC SSO as an authentication method is only available for organizations with an `Enterprise` tier subscription. See [Pricing](https://phase.dev/pricing).
 </Note>

public/access-control/authentication/tokens.md

@@ -1,4 +1,5 @@
 import { Tag } from '@/components/Tag'
+import { DocActions } from '@/components/DocActions'
 
 export const description =
   'Learn how to create and manage authentication tokens in Phase.'
@@ -9,6 +10,8 @@ export const description =
 
 Phase provides secure authentication tokens for both human users and service accounts. These tokens enable programmatic access to Phase through our API, CLI, and SDKs while maintaining strict access controls and security standards. {{ className: 'lead' }}
 
+<DocActions /> 
+
 ## Service Account Tokens
 
 Service Account Tokens are used to authenticate your Service Account when making API requests. These tokens inherit the permissions and access levels of the service account they belong to.

public/access-control/external-identities.md

@@ -0,0 +1,127 @@
+import { Tag } from '@/components/Tag'
+import { DocActions } from '@/components/DocActions'
+
+<Tag variant="small">ACCESS CONTROL</Tag>
+
+export const description =
+  'This guide explains how to use External Identities to authenticate with Phase and manage access with the Access Control system.'
+
+
+# External Identities
+
+External Identities allow you to use third-party platforms and services to serve as identity providers for clients seeking programmatic access to Phase. Instead of manually provisioning access tokens for each client on each machine or an instance on your infrastructure, you can use External Identities to establish a trusted relationship with a principal that will be used to validate the identity of the client and grant access to Phase. This enables dynamic authentication and authorization for clients such as the CLI, SDKs, Kubernetes Operator, or your own applications. 
+
+<DocActions /> 
+
+Example use case: Imagine you have a fleet of EC2 instances in an autoscaling group (ASG) that runs an instance of your application. The Phase CLI is configured to inject secrets into your applications at runtime. Instead of manually provisioning access tokens for each client on each machine, you can use External Identities to establish a trusted relationship with an instance profile attached to the ASG.
+
+The authentication flow will be as follows:
+
+<Diagram caption="External Identity authentication flow with AWS IAM">
+{`
+sequenceDiagram
+  participant Client as Client
+  participant Phase as Phase
+  participant AWS as AWS STS
+
+  Note over Client,AWS: 1. GetCallerIdentity()
+  Client->>AWS: Fetch GetCallerIdentity from STS
+  AWS-->>Client: Return AWS Sigv4 signed GetCallerIdentity
+
+  Note over Client,Phase: 2. Authenticate
+  Client->>Phase: POST Sigv4 signed GetCallerIdentity to /identities/external/v1/aws/iam/auth/
+
+  Note over Phase,AWS: 3. Validate signature
+  Phase->>AWS: Forward Sigv4 signed GetCallerIdentity
+  AWS-->>Phase: Return IAM user/role metadata
+
+  Note over Phase: 4. Check entity trust relationship - is client a trusted principal?
+  Phase->>Client: Return Access Token with a specified TTL
+
+  Note over Client,Phase: 5. Authenticate to API with Access Token
+  Client->>Phase: Make authenticated requests using the Access Token
+`}
+</Diagram>
+
+Benefits:
+- Automate the creation and provisioning of access tokens for every client on your infrastructure.
+- Automatic token revocation after expiry
+- Centralized management of trust relationships
+
+## Prerequisites
+- Server-side encryption (SSE) enabled for the Service Account you want to use the External Identity with.
+- A third-party platform or service that supported by Phase
+
+## Supported External Identity Providers
+Phase currently supports the following external identity providers:
+
+- [**AWS IAM**](#aws-iam): Bind an AWS IAM User to a phase Service Account
+
+## Configure an External Identity
+
+To set up an External Identity for use with a Phase Service Account, follow these steps. First, navigate to the **Access Control** page from the sidebar, and select **External Identities**. Then, choose a provider:
+
+![external identities page](/assets/images/console/access-control/external-identities/external-identities.png)
+
+Then, enter the required information to configure the external identity. For all providers, you will need to provide basic information about the identity and how tokens are generated:
+
+<Properties>
+  <Property name="Identity Name" type="string">
+    A name for the external identity.
+  </Property>
+  <Property name="Description" type="string">
+    Optionally, a description for the external identity.
+  </Property>
+  <Property name="Token name" type="string">
+    Optional name for tokens that will be generated for Service Accounts using this external identity. The default is the provider shortcode, e.g. `aws-iam`.
+  </Property>
+  <Property name="Token Default TTL" type="number">
+    The default TTL (in seconds) for tokens generated for Service Accounts using this external identity. Default is 3600 seconds (1 hour).
+  </Property>
+  <Property name="Token Max TTL" type="number">
+    The default TTL (in seconds) for tokens generated for Service Accounts using this external identity. Default is 86400 seconds (24 hours).
+  </Property>
+</Properties>
+
+Additionally, you will need to provide provider-specific information depending on the selected provider.
+
+### AWS IAM
+
+For AWS IAM, you will need to provide the following information:
+
+<Properties>
+  <Property name="Trusted principal ARNs" type="comma-separated-string">
+    The ARN(s) of the AWS IAM User(s) to bind to the Phase Service Account. Separate multiple ARNs with commas.
+  </Property>
+  <Property name="Signature expiry" type="number">
+    The duration (in seconds) for which the signed requests from the AWS IAM User will be valid. Default is 60 seconds. Lower the better. This is to protect against replay attacks.
+  </Property>
+  <Property name="STS endpoint" type="string">
+    Optionally, specify a custom AWS STS endpoint. If not provided, the default AWS STS endpoint will be used (`https://sts.amazonaws.com`).
+  </Property>
+</Properties>
+
+![configure new identity](/assets/images/console/access-control/external-identities/configure-new-identity.png)
+
+
+## Manage External Identities
+
+Once an External Identity is created, it will appear in the list on the **External Identities** page. From here, you can view details, edit configurations, or delete the identity. 
+
+![external identities list](/assets/images/console/access-control/external-identities/external-identities-list.png)
+
+## Bind an External Identity to a Service Account
+
+<Note>
+To use an External Identity, the Service Account must have [Server-side KMS](/access-control/service-accounts#server-side-kms) enabled.
+</Note>
+
+Once you have configured an External Identity, you can bind it to a Phase Service Account. To do this, navigate to the **Service Accounts** page, select the desired Service Account and click **Mange** to open the account detail page. Scroll down to the **External Identities** section and click **Manage External Identities**:
+
+![manage external identities button](/assets/images/console/access-control/external-identities/manage-account-identities-button.png)
+
+From the dialog, select the External Identity you want to bind to this Service Account and enable it using the toggle switch. Click **Save** to apply the changes:
+
+![add external identity to service account](/assets/images/console/access-control/external-identities/manage-account-identities-dialog.png)
+
+

public/access-control/network.md

@@ -1,11 +1,14 @@
 import { Tag } from '@/components/Tag'
+import { DocActions } from '@/components/DocActions'
 
 <Tag variant="small">ACCESS CONTROL</Tag>
 
 # Network
 
 You can control access to resources in Phase from specific IPv4 or IPv6 sources by defining individual IPs or CIDR ranges in a Network Access Policy. You may attach such Network Access Policy to a User and/or Service Accounts individually or enforce it across your entire organization via a Global Policy. This allows you to put an additional layer of security on top of the existing access control mechanisms, by making sure that a client can only gain access to resources in Phase via mediums and/or assets such as the Phase Console, CLI, SDKs, Kubernetes Operator, REST API, etc. while being in the confines of your network.
 
+<DocActions /> 
+
 <Note>
  The ability to create and manage network access policies is available for organizations with a `Pro` or an `Enterprise` tier subscription.
 </Note>

public/access-control/roles.md

@@ -1,11 +1,14 @@
 import { Tag } from '@/components/Tag'
+import { DocActions } from '@/components/DocActions'
 
 <Tag variant="small">ACCESS CONTROL</Tag>
 
 # Roles
 
 Roles in Phase define the level of access and permissions granted to users within an organization. They determine what actions a user can perform and what resources they can access. Phase offers both managed roles with predefined permissions and the ability to create custom roles for more specific access control needs.
 
+<DocActions /> 
+
 ## Assigning Roles to Users
 
 To assign a role to a user or change a user's role:
@@ -37,6 +40,7 @@ The organization owner. This role is automatically assigned when a user creates
 | **Member Personal Access Tokens** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Service Accounts** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Service Account Tokens** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **External Identities** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Roles** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Integration Credentials** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Network Access Policies** | Full access | ✅ | ✅ | ✅ | ✅ |
@@ -47,6 +51,7 @@ The organization owner. This role is automatically assigned when a user creates
 |----------|--------|------|--------|--------|--------|
 | **Environments** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Secrets** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **DynamicSecretLeases** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Lockbox** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Logs** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Tokens (Legacy)** | Full access | ✅ | ✅ | ✅ | ✅ |
@@ -70,6 +75,7 @@ Admin users have access to most resources and permissions, and have global acces
 | **Member Personal Access Tokens** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Service Accounts** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Service Account Tokens** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **External Identities** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Roles** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Integration Credentials** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Network Access Policies** | Full access | ✅ | ✅ | ✅ | ✅ |
@@ -80,6 +86,7 @@ Admin users have access to most resources and permissions, and have global acces
 |----------|--------|------|--------|--------|--------|
 | **Environments** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Secrets** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **DynamicSecretLeases** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Lockbox** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Logs** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Tokens (Legacy)** | Full access | ✅ | ✅ | ✅ | ✅ |
@@ -105,6 +112,7 @@ Management users with broad access to environments, secrets, and service account
 | **Member Personal Access Tokens** | No access | ❌ | ❌ | ❌ | ❌ |
 | **Service Accounts** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Service Account Tokens** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **External Identities** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Roles** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Integration Credentials** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Network Access Policies** | Full access | ✅ | ✅ | ✅ | ✅ |
@@ -115,6 +123,7 @@ Management users with broad access to environments, secrets, and service account
 |----------|--------|------|--------|--------|--------|
 | **Environments** | Custom access | ✅ | ✅ | ✅ | ❌ |
 | **Secrets** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **DynamicSecretLeases** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Lockbox** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Logs** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Tokens (Legacy)** | Full access | ✅ | ✅ | ✅ | ✅ |
@@ -138,6 +147,7 @@ Default role for Service Accounts, providing programmatic access to secrets with
 | **Member Personal Access Tokens** | No access | ❌ | ❌ | ❌ | ❌ |
 | **Service Accounts** | Read access | ✅ | ❌ | ❌ | ❌ |
 | **Service Account Tokens** | Read access | ✅ | ❌ | ❌ | ❌ |
+| **External Identities** | Read access | ✅ | ❌ | ❌ | ❌ |
 | **Roles** | Read access | ✅ | ❌ | ❌ | ❌ |
 | **Integration Credentials** | Read access | ✅ | ❌ | ❌ | ❌ |
 | **Network Access Policies** | Read access | ✅ | ❌ | ❌ | ❌ |
@@ -148,6 +158,7 @@ Default role for Service Accounts, providing programmatic access to secrets with
 |----------|--------|------|--------|--------|--------|
 | **Environments** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Secrets** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **DynamicSecretLeases** | Full access | ✅ | ✅ | ❌ | ❌ |
 | **Lockbox** | No access | ❌ | ❌ | ❌ | ❌ |
 | **Logs** | No access | ❌ | ❌ | ❌ | ❌ |
 | **Tokens (Legacy)** | No access | ❌ | ❌ | ❌ | ❌ |
@@ -171,6 +182,7 @@ Developers have limited permissions at the organization level and must be given
 | **Member Personal Access Tokens** | No access | ❌ | ❌ | ❌ | ❌ |
 | **Service Accounts** | No access | ❌ | ❌ | ❌ | ❌ |
 | **Service Account Tokens** | No access | ❌ | ❌ | ❌ | ❌ |
+| **External Identities** | No access | ❌ | ❌ | ❌ | ❌ |
 | **Roles** | Read access | ✅ | ❌ | ❌ | ❌ |
 | **Integration Credentials** | Custom access | ✅ | ✅ | ✅ | ❌ |
 | **Network Access Policies** | Read access | ✅ | ❌ | ❌ | ❌ |
@@ -181,6 +193,7 @@ Developers have limited permissions at the organization level and must be given
 |----------|--------|------|--------|--------|--------|
 | **Environments** | Custom access | ✅ | ✅ | ✅ | ❌ |
 | **Secrets** | Full access | ✅ | ✅ | ✅ | ✅ |
+| **DynamicSecretLeases** | Full access | ✅ | ✅ | ❌ | ❌ |
 | **Lockbox** | Full access | ✅ | ✅ | ✅ | ✅ |
 | **Logs** | Read access | ✅ | ❌ | ❌ | ❌ |
 | **Tokens (Legacy)** | Custom access | ✅ | ✅ | ❌ | ❌ |