GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. Until AWS provided supported for OIDC, access and secret keys were used to make deployments in the Github Actions.
Configuring OpenID Connect in AWS and role creation
- Create Github as an identity provider in AWS provider with the below values.
Provider URL as https://token.actions.githubusercontent.com
Audience as sts.amazonaws.com
Configure the role with the below trust policy. Replace GitHub org repo details with the details of your organization. Replace AWS account id also
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:git-org/git-repo:*"
},
"ForAllValues:StringEquals": {
"token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}
Policy for the role can be assigned based on the action which is performed on the AWS account. S3 permissions is assigned for demo purpose.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "*"
}
}
GitHub Actions workflow
Below permissions needs to be added in the GitHub yaml for use in GitHub Actions
permissions:
id-token: write # required to use OIDC authentication
contents: read # This is required for actions/checkout@v2
Below is the Github Actions file which will list buckets in an AWS account and also list in the another account using cross account access
In the step Assume execution role cross account access is achieved by assuming the previous role as environmental variables.
name: Hello from AWS
on:
push:
permissions:
id-token: write
contents: read
jobs:
greeting:
runs-on: ubuntu-latest
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::123456789:role/github-actions
- name: Print assumed role
run: aws sts get-caller-identity
- name: s3 list
run: aws s3 ls
- name: Assume execution role
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-region: us-east-1
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-duration-seconds: 3000
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::123456789:role/github-cross-role
- name: Print assumed role
run: aws sts get-caller-identity
- name: s3 list
run: aws s3 ls
Reference workflow can be found in the repo https://github.com/sent2020/aws-oidc
Top comments (0)