“Set Up AWS Credentials” for GitHub Actions Using OpenID Connect
In this tutorial, we’ll discover how to set up a CI/CD pipeline using GitHub Actions and AWS.
You’ve had to utilize IAM credentials with an IAM user for some time to grant GitHub Actions (hosted by GitHub) access to your AWS environment.
There is a new authentication mechanism, though.
For safe cloud deployments, GitHub Actions now supports OpenID Connect (OIDC), which uses tokens with a limited lifespan that is routinely rotated.
This permits:
- Without the need to store any long-lived cloud secrets in GitHub, there is seamless authentication between Cloud Providers and GitHub.
- To make sure that GitHub Actions processes only have the bare minimum access to cloud resources, cloud administrators can rely on the security measures of their cloud provider. In GitHub and the cloud, there is no duplication of secret management.
Setting up AWS
To get started, you’ll have to create your identity provider on AWS.
- Login to your AWS account and go to IAM > Identity Provider, and click “Add Provider”
2. Add the provider URL https://token.actions.githubusercontent.com and the audience sts.amazonaws.com.
3. You’ll also need a role which your provider will assume. Below is a role’s trust policy which allows the identity provider access.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<your_account_id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}Setting up GitHub
Now you’re going to need a workflow file for your GitHub Actions to use. Below is an example of a workflow with authentication to push your Docker Image to AWS ECR. For more, see my setup here…
https://github.com/mahmud92542/react-application-automation/
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]name: React Project `react-application-automation` CI on ECRjobs:
deploy:
name: Deploy
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read # This is required for actions/checkout@v2 steps:
- name: Checkout
uses: actions/checkout@v2 - name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
aws-region: ap-southeast-1 - name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1 - name: Build, tag, and push the image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: ${{ secrets.REPO_NAME }}
IMAGE_TAG: latest
run: |
# Build a docker container and push it to ECR
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
echo "Pushing image to ECR..."
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
In this example, the Action will load the OIDC token from the GitHub-provided environment variable and use it to assume the role. the secret AWS_ROLE_TO_ASSUME contains a string like, arn:aws:iam::<your_account_number>:role/my-github-actions-role which we can use as a variable.
This will export temporary credentials to your environment for GitHub Actions. You are not required to export the credentials, but if you don’t, all calls to AWS will be made using the JWT token and OIDC. This calls for GitHub Actions to reply to each request with the verification key.
