Setting up a GitHub pipeline often involves initiating resource deployment on cloud platforms like AWS. To accomplish this, a secure authentication mechanism between GitHub Actions and your AWS account is necessary. This blog explores the use of OpenID Connect (OIDC) for secure authentication and provides a detailed example of configuring a GitHub Actions workflow for AWS resource deployment.
Why Authentication is Necessary
To enable GitHub Actions to interact with AWS and create resources, you need a way to authenticate GitHub with your AWS account. Traditionally, this was done using static credentials like a username and password, but this approach poses significant security risks. Instead, the OIDC method provides a more secure and scalable solution.
Using OIDC for Secure Authentication
OIDC allows you to configure a trusted relationship between GitHub and AWS. This method involves setting up a provider in AWS IAM, specifically token.actions.githubusercontent.com, and assigning a role to this provider. This role can then be stored in GitHub as a secret. Here’s a step-by-step guide to achieving this:
-
Configure OIDC Provider in AWS IAM:
- In the AWS Management Console, go to IAM and create an identity provider.
- Select OpenID Connect as the provider type.
- Set the provider URL to https://token.actions.githubusercontent.com.
- Add sts.amazonaws.com to the audience.
-
Create an IAM Role:
- Create a new role in IAM and select the newly created OIDC provider as the trusted entity.
- Assign necessary permissions to this role to allow it to interact with your AWS resources.
- Restrict permissions to ensure that only the intended services and resources can be accessed or modified by GitHub Actions using this role.
- Store the Role ARN in GitHub Secrets: Go to your GitHub repository settings and add a new secret named AWS_ROLE_ARN with the value being the ARN of the IAM role created in the previous step.
Advantages of Using OIDC
- Enhanced Security: Instead of using static credentials, GitHub assumes the role and receives temporary credentials for deployment. This minimizes the risk of credential leaks.
- Fine-Grained Access Control: You can define precise permissions for the IAM role, ensuring that GitHub Actions can only perform specific actions on your AWS account.
Configuring GitHub Actions Workflow
To utilize the IAM role with OIDC, you can use the aws-actions/configure-aws-credentials@v1 GitHub Action. Ensure that your GitHub workflow includes the necessary permissions (id-token: write and contents: read) to allow GitHub Actions to perform AWS token exchange successfully.
Here is an example of a GitHub Actions workflow file for deploying AWS resources using Terraform:
name: Deploy
on:
push:
branches:
- main
jobs:
terraform:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Configure AWS Credentials
id: aws-creds
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: Interacting with AWS
run: aws lambda update-function-code --function-name my-lambda-function --zip-file fileb://my-lambda-package.zip
Breakdown of the Workflow
- Checkout Repository: This step checks out the repository to access the code.
- Configure AWS Credentials: This step configures AWS credentials using the IAM role. The role to assume and AWS region are specified.
- Interacting with AWS: This step runs a command to update the AWS Lambda function code. You can replace this with any AWS CLI command relevant to your deployment.
Conclusion
Using OIDC for authentication between GitHub Actions and AWS is a secure and efficient method for deploying resources. By setting up an OIDC provider, creating a restricted IAM role, and configuring your GitHub Actions workflow correctly, you can ensure secure and seamless interactions with your AWS account. This approach not only enhances security but also simplifies the management of credentials and permissions.
Top comments (0)