AWS deployment from GitHub Actions with OIDC

GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline. Until AWS provided supported for OIDC, access and secret keys were used to make deployments in the Github Actions.

Configuring OpenID Connect in AWS and role creation

• Create Github as an identity provider in AWS provider with the below values.

Provider URL as https://token.actions.githubusercontent.com
Audience as sts.amazonaws.com

Configure the role with the below trust policy. Replace GitHub org repo details with the details of your organization. Replace AWS account id also

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:git-org/git-repo:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

Policy for the role can be assigned based on the action which is performed on the AWS account. S3 permissions is assigned for demo purpose.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "*"
  }
}

GitHub Actions workflow

Below permissions needs to be added in the GitHub yaml for use in GitHub Actions

permissions:
  id-token: write # required to use OIDC authentication
  contents: read # This is required for actions/checkout@v2

Below is the Github Actions file which will list buckets in an AWS account and also list in the another account using cross account access

In the step Assume execution role cross account access is achieved by assuming the previous role as environmental variables.

name: Hello from AWS
on:
  push:
permissions:
  id-token: write
  contents: read
jobs:
  greeting:
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-region: us-east-1
        role-to-assume: arn:aws:iam::123456789:role/github-actions
    - name: Print assumed role
      run: aws sts get-caller-identity
    - name: s3 list 
      run: aws s3 ls
    - name: Assume execution role
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-1
        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
        aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
        role-duration-seconds: 3000
        role-skip-session-tagging: true
        role-to-assume: arn:aws:iam::123456789:role/github-cross-role
    - name: Print assumed role
      run: aws sts get-caller-identity
    - name: s3 list 
      run: aws s3 ls

Reference workflow can be found in the repo https://github.com/sent2020/aws-oidc