CAUTION!! GitHub does not announce ID token for GitHub Actions as GA. Please don't use this feature in production. Breaking changes could be introduced at any moment.
Test out AssumeRoleWithWebIdentity using ID token issued by GitHub OIDC provider. All AWS resources are deployed using Terraform.
- tfenv
- AWS account
Prepare for your Terraform variable file.
cp terraform.tfvars .terraform.tfvars
Replace YOUR_AWS_ACCOUNT_ID in .terrraform.tfvars and .github/workflows/main.yml with your AWS account ID.
Also, replace client_id_list with your repository URL.
tfenv install
Deploy IAM identity provider and assumed IAM role called GitHubActions with the command below.
terraform init -var-file .terraform.tfvars
terraform plan -var-file .terraform.tfvars
terraform apply -var-file .terraform.tfvars
Trigger your GitHub Actions manually. They you can find assumed IAM role information with aws sts get-caller-identity.
This is inspired by the following materials.