GitHub Action for AWS API Gateway Requests with OIDC

This GitHub Action allows you to use your GitHub OIDC identity to make AWS SigV4 signed requests to API Gateway with IAM authentication.

Use Cases:

Publish workflow metrics, such as workflow/step duration, pass/fail, unit-test coverage, etc., from within your GitHub Actions workflows.
Send data to a backend service protected by IAM authorization by calling the appropriate API Gateway endpoint with a POST or PUT request.
Retrieve data from a backend service protected by IAM authorization by calling the appropriate API Gateway endpoint.
Proxy data directly to an AWS service like SQS, SNS, or Kinesis with an endpoint method AWS Service integration type.

In general, this action can be used to access any application that is fronted by AWS API Gateway and protected by IAM authorization.

Requirements:

GitHub OIDC provider configured within AWS - example CloudFormation
AWS IAM role with trust policy - example CloudFormation
AWS API Gateway endpoint with IAM authentication - example CloudFormation
- If this is the first time setting up an API Gateway with logging, you may also need to create an IAM role to grant API Gateway the permission to write to CloudWatch Logs

Usage

- uses: jveldboom/action-aws-apigw-oidc-request@v1
  with:
    # AWS IAM role arn to assume via OIDC
    # [Learn more about Github OIDC with AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
    aws-role-to-assume: ''

    # AWS region name (eg: us-east-2, us-west-2)
    # Note: the region must be the set to the region your API Gateway is hosted
    aws-region: ''

    # API Gateway URL
    url: ''

    # Request method (eg GET, POST, PUT)
    # Default: GET
    method: ''

    # Request headers in multi-line key: value format
    # headers: |
    #   content-type: application/json
    #   cache-control: max-age=0
    headers: ''

    # Request body payload in JSON string format
    # Example: '{"foo": "bar"}'
    payload: ''

    # Max number of request retries
    # Default: 0
    max-retries: ''

Outputs

status-code response status code
headers response headers
body response body

Example Usage

name: API Gateway Request

on: [ push ]

jobs:
  api-request:
    runs-on: ubuntu-latest

    permissions:
      id-token: write # required for OIDC
      contents: read

    steps:
      - uses: actions/checkout@v3

      - name: Call API Gateway
        id: call-api
        uses: jveldboom/action-aws-apigw-oidc-request@v1
        with:
          aws-role-to-assume: arn:aws:iam::123456789012:role/example-oidc-role
          aws-region: us-east-2
          url: http://example.com/auth/iam
          method: POST
          payload: '{"foo": "bar"}'
          max-retries: 3

      - name: Print response
        run: |
          echo "Status code: ${{ steps.api-request.outputs.status-code }}"
          echo "Headers: ${{ steps.api-request.outputs.headers }}"
          echo "Body: ${{ steps.api-request.outputs.body }}"

TODO

deploy example infrastructure on pushes to main

License

This action is licensed under the MIT License. See the LICENSE file for more information.

jveldboom / action-aws-apigw-oidc-request