Created
May 26, 2026 13:16
-
-
Save benissimo/340e7cfb5fdd102c5cd8d39cf91bcc32 to your computer and use it in GitHub Desktop.
Anthropic API authentication via GitHub Actions Workload Identity Federation (WIF) — minimal proof-of-concept. Used as evidence in a gh-aw-firewall feature request.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Proof-of-concept: authenticate to the Anthropic API from GitHub Actions | |
| # via Workload Identity Federation (WIF) — no long-lived ANTHROPIC_API_KEY. | |
| # | |
| # Verified working end-to-end against the existing Anthropic API tier | |
| # (no Enterprise contract required). Full exchange in ~3 seconds. | |
| # | |
| # Audit event from a successful run shows outcome: success, with | |
| # user_agent: anthropic-python/0.104.1, subject: repo:OWNER/REPO: | |
| # ref:refs/heads/main, requested_service_account_id matching the | |
| # configured service account. | |
| # | |
| # IDs below are placeholders — substitute your own from Claude Console | |
| # (Settings -> Workload identity for the rule + issuer, Settings -> | |
| # Service accounts for the service account, Settings -> Organization | |
| # for the org UUID). Federation rule should pin subject_prefix to the | |
| # specific repo + ref you intend to dispatch from, with audience | |
| # https://api.anthropic.com. | |
| name: WIF POC | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| call-claude-via-wif: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| env: | |
| ANTHROPIC_FEDERATION_RULE_ID: fdrl_xxxxxxxxxxxxxxxxxxxxxxxx | |
| ANTHROPIC_ORGANIZATION_ID: 00000000-0000-0000-0000-000000000000 | |
| ANTHROPIC_SERVICE_ACCOUNT_ID: svac_xxxxxxxxxxxxxxxxxxxxxxxx | |
| ANTHROPIC_IDENTITY_TOKEN_FILE: /tmp/gha-jwt | |
| steps: | |
| - name: Fetch GitHub OIDC token | |
| run: | | |
| curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
| "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=https://api.anthropic.com" \ | |
| | jq -r .value > "$ANTHROPIC_IDENTITY_TOKEN_FILE" | |
| test -s "$ANTHROPIC_IDENTITY_TOKEN_FILE" | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install Anthropic SDK | |
| run: pip install --quiet anthropic | |
| - name: Call Claude via WIF | |
| run: | | |
| python - <<'PY' | |
| from anthropic import Anthropic | |
| client = Anthropic() | |
| msg = client.messages.create( | |
| model="claude-sonnet-4-6", | |
| max_tokens=64, | |
| messages=[{"role": "user", "content": "Respond with exactly: WIF exchange succeeded."}], | |
| ) | |
| print(msg.content[0].text) | |
| PY |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment