Secure AWS Deployments Using OIDC in GitHub Actions

Adding the identity provider to AWS¶

Open AWS IAM console, Select Identity providers, Click "Add provider":

• For the "Provider type": Select "OpenID Connect"
• For the "Provider URL": Use https://token.actions.githubusercontent.com
• For the "Audience": Use sts.amazonaws.com

Configuring the role and trust policy on AWS¶

Open AWS IAM console, Select Roles, Click "Create role":

Create¶

Step 1: Select trusted entity

• For the "Trusted entity type": Select "Web identity"
• For the "Identity provider": Select "token.actions.githubusercontent.com"
• For the "Audience": Select "sts.amazonaws.com"
• For the "GitHub organization": GitHub organization name
• For the "GitHub repository - optional": GitHub repository name
• For the "GitHub branch - optional": GitHub branch name

Click "Next"

Step 2: Add permissions

Don't select any "Permissions policies"

Click "Next"

Step 3: Name, review, and create

• Role name: Enter a meaningful name to identify this role.
• Description - optional: Add a short explanation for this role.

Click "Create role"

Trust Policy Example¶

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS ACCOUNT ID>:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:<GitHub org>/*", // Grants access to all repos in the org
                        "repo:<GitHub org>/<GitHub repo>:*", // Grants access to any branch within the repository
                        "repo:<GitHub org>/<GitHub repo>:ref:refs/heads/<GitHub branch>" // Grants access to a specific branch only
                    ]
                }
            }
        }
    ]
}

Attaching permissions to the IAM role (AWS)¶

• IAM JSON policy elements: Action
• IAM JSON policy elements: Resource

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                // <service>:<action>
            ],
            "Resource": [
                // arn:aws:<service>:<region>:<account-id>:...
            ]
        }
    ]
}

Grants permission to update the specified Lambda function's code:

"Action": [
    "lambda:UpdateFunctionCode"
],
"Resource": [
    "arn:aws:lambda:<region>:<account-id>:function:<function-name>"
]

GitHub Actions workflow¶

Use the aws-actions/configure-aws-credentials action to exchange the OIDC token (JWT) for a cloud access token.

The aws-actions/configure-aws-credentials action receives a JWT from the GitHub OIDC provider, and then requests an access token from AWS.

- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v<Version>
  with:
    role-to-assume: arn:aws:iam::<AWS account id>:role/<AWS IAM role name>
    aws-region: <AWS region>

Also¶

• GitHub - Configuring OpenID Connect in Amazon Web Services
• AWS - Create an OpenID Connect (OIDC) identity provider in IAM
• AWS - Configuring a role for GitHub OIDC identity provider