Bootstrap

GitHub Actions - Authenticate to Amazon Web Services (AWS) using OIDC

by Jeremy Canfield | Updated: April 15 2024 | GitHub Actions articles

This assumes you are familiar with GitHub Actions. If not, check out my article Getting Started with GitHub Actions.

There are a few different ways to authenticate to Amazon Web Services in GitHub Actions

Authenticate to Amazon Web Services (AWS) using OIDC (this article)
Authenticate to Amazon Web Services (AWS) using Access Key and Secret Key

This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI

The aws iam create-open-id-connect-provider command can be used to create an OpenID Connect Provider in Amazon Web Services.

aws iam create-open-id-connect-provider \
‐‐url https://token.actions.githubusercontent.com \
‐‐client-id-list sts.amazonaws.com

And use the aws iam create-role command to create a role that will allow GitHub Actions to authenticate to Amazon Web Services via the OpenID Connect Provider.

aws iam create-role \
--role-name GitHubAction-AssumeRoleWithAction \
--assume-role-policy-document file://my.json

In this example, my.json should contain something like this, replacing 123456789012 with your AWS Account Number.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:<the name of your GitHub account>/*"
                }
            }
        }
    ]
}

And then go with something like this to authenticate to AWS using the OpenID Connect Provider and the IAM GitHubAction-AssumeRoleWithAction role.

name: AWS authentication demo
run-name: ${{ github.workflow }} run by ${{ github.actor }}
on:
  push:
    branches:
      - main
permissions:
      id-token: write
      contents: read
jobs:
  github-action-job:
    runs-on: ubuntu-latest
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubAction-AssumeRoleWithAction
          role-session-name: GitHub_to_AWS_via_FederatedOIDC
          aws-region: us-east-1

      - name: aws sts get-caller-identity
        run: |
          aws sts get-caller-identity                 

      - run: echo "job.status -> ${{ job.status }}"

Did you find this article helpful?

If so, consider buying me a coffee over at

Did you find this article helpful?

Comments

Add a Comment