This assumes you are familiar with GitHub Actions. If not, check out my article Getting Started with GitHub Actions.
There are a few different ways to authenticate to Amazon Web Services in GitHub Actions
- Authenticate to Amazon Web Services (AWS) using OIDC (this article)
- Authenticate to Amazon Web Services (AWS) using Access Key and Secret Key
This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI
The aws iam create-open-id-connect-provider command can be used to create an OpenID Connect Provider in Amazon Web Services.
aws iam create-open-id-connect-provider \
‐‐url https://token.actions.githubusercontent.com \
‐‐client-id-list sts.amazonaws.com
And use the aws iam create-role command to create a role that will allow GitHub Actions to authenticate to Amazon Web Services via the OpenID Connect Provider.
aws iam create-role \
--role-name GitHubAction-AssumeRoleWithAction \
--assume-role-policy-document file://my.json
In this example, my.json should contain something like this, replacing 123456789012 with your AWS Account Number.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<the name of your GitHub account>/*"
}
}
}
]
}
And then go with something like this to authenticate to AWS using the OpenID Connect Provider and the IAM GitHubAction-AssumeRoleWithAction role.
name: AWS authentication demo
run-name: ${{ github.workflow }} run by ${{ github.actor }}
on:
push:
branches:
- main
permissions:
id-token: write
contents: read
jobs:
github-action-job:
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubAction-AssumeRoleWithAction
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: us-east-1
- name: aws sts get-caller-identity
run: |
aws sts get-caller-identity
- run: echo "job.status -> ${{ job.status }}"
Did you find this article helpful?
If so, consider buying me a coffee over at