[ wiki ]

Search

SearchSearch

OIDC for AWS and GitHub Actions

Jan 17, 20252 min read

Guide to Setting Up OpenID Connect (OIDC) for AWS and GitHub Actions

Overview

OpenID Connect (OIDC) enables secure and temporary credential-based authentication between GitHub Actions and AWS without the need for long-term credentials.

Step 1: Create an IAM OIDC Identity Provider

  1. Log in to the AWS Management Console:

    • Navigate to IAM > Identity Providers.

  2. Add an OIDC Provider:

    • Choose Add Provider.
    • Select Provider Type as OpenID Connect.
    • Enter the Provider URL: 
      https://token.actions.githubusercontent.com
    • Add Audience: 
      sts.amazonaws.com

  3. Save the Identity Provider:

    • Review and confirm the details.

Step 2: Create an IAM Role for GitHub Actions

  1. Create a New Role:

    • Go to Roles > Create Role.
    • Select Web Identity as the trusted entity type.
    • Choose the OIDC provider you just created.

  2. Define Conditions:

    • Add a condition to restrict access to specific repositories and branches using the following trust policy: 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
          "token.actions.githubusercontent.com:sub": "repo:<OWNER>/<REPO>:ref:refs/heads/<BRANCH>"
        }
      }
    }
  ]
}
    • Replace <AWS_ACCOUNT_ID>, <OWNER>, <REPO>, and <BRANCH> with your AWS account ID, GitHub organization or user name, repository name, and branch, respectively.

  3. Attach Permissions to the Role:

    • Assign a policy to define what actions the role can perform (e.g., S3 access): 
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::<BUCKET_NAME>/*"
    }
  ]
}
    • Replace <BUCKET_NAME> with your target S3 bucket name.

Step 3: Configure Your GitHub Actions Workflow

  1. Set Permissions for OIDC: In your GitHub Actions workflow YAML file, add the following permissions:

    permissions:
  id-token: write
  contents: read

  2. Use the aws-actions/configure-aws-credentials Action: Configure AWS credentials using the aws-actions/configure-aws-credentials action:

    - name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    role-to-assume: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>
    aws-region: us-east-1
    • Replace <AWS_ACCOUNT_ID> and <ROLE_NAME> with your AWS account ID and the name of the IAM role created in Step 2.

  3. Add Deployment Steps: Add subsequent steps to deploy your AWS resources, such as:

    - name: Deploy Application
  run: cdk deploy -- all

Step 4: Test the Workflow

  1. Push changes to the configured branch.
  2. Monitor the workflow run in the Actions tab on GitHub.
  3. Verify AWS resource deployment and ensure the workflow runs successfully.

References

This document provides a complete guide for setting up OIDC between GitHub Actions and AWS. Keep it handy for future projects or troubleshooting!

Graph View

Backlinks

  • No backlinks found