AWS + Github OIDC setup
This repo contains the configuration to allow Github Actions free reign in the cloud.
The generated role is only allowed to be assumed by repositories under your user or organization.
Setup
-
First, fork the repository.
-
Change the default value from
Cloudbourn
to your Github username or organisation in cloudformation.yml -
You cannot use the Github Actions to deploy this stack for the first time since OIDC is not set up yet. Instead, perform the initial deployment from your local machine:
AWS_REGION=eu-west-1 aws cloudformation deploy --stack-name github-oidc --template-file cloudformation.yml --capabilities CAPABILITY_IAM
Retrieving the generated role name:
AWS_REGION=eu-west-1 aws cloudformation describe-stack-resources --stack-name github-oidc --query "StackResources[?LogicalResourceId=='Role'].PhysicalResourceId" --output text
-
Now modify the
role-to-assume
ARN in deploy.yml with your role name. Don't forget to update the AWS Account ID. -
If you forked the repository you need to explicitly go to Actions and enable workflows.
-
Commit and push your changes
Usage in Github Actions
Here's a sample workflow using the OIDC role.
name: Deploy
on:
push:
branches: [ main ]
jobs:
deploy:
name: Deploy
runs-on: ubuntu-latest
# Required to use OIDC
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::479330620126:role/github-oidc-Role-1DNEHO655IPHU
aws-region: eu-west-1
- name: Build
...
- name: Publish front-end
run: aws s3 sync . s3://cloudbourn-website