GitHub Actions
Ever wondering if you can tighten the security of your AWS credential for your GitHub Actions (workflow/pipeline that allows GitHub repository to perform Actions enabling CI/CD)?
Mostly, to keep things simple creating an IAM user with Programmable Key would be something people starting to work with AWS Cloud is instructed to follow. (with a caution to store it securely and never expose it to public Internet)
For GitHub Actions, you can store those AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY in the Secrets section and it should be kept securely. Wouldn't this suffice if you want it to be kept safely? Answer is not quite, since we have a better approach to keep it even more secure.
AWS Credential is important and must be kept secret
Once exposed, depending on the permissions allowed for that identity to perform damage could potentially be fatal. Which is why the least-privilege is an important aspect when designing the IAM Users/Roles to perform specific tasks.
AWS IAM Identity Provider (OIDC)
As long as the caller to AWS services is compatible with OIDCv2, you can securely make it exchange the token with short-lived AWS session token that permits the access to AWS service.
With this approach, you can eliminate the need of embedding the AWS secrets (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) into your GitHub Actions secrets and just use role assuming mechanics to assume an IAM role arn to perform actions on selected accounts.
Step-by-step
-
Create AWS IAM Identity Provider in your account with AWS CLI
aws iam create-open-id-connect-provider \ --url https://token.actions.githubusercontent.com \ --client-id-list sts.amazonaws.comAlternatively, you can create one in AWS Console in IAM --> Identity Provider and Add provider (as shown below).
Then, choose OIDC and providehttps://token.actions.githubusercontent.comas Provider URL andsts.amazonaws.comas Audience.
-
Create IAM role with following Trusted Policy (and permission policies to match with your use-case)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", "token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG>/<GITHUB_REPOSITORY>:ref:refs/heads/<GITHUB_BRANCH>" } } } ] }** replace
AWS_ACCOUNT_ID,GITHUB_ORG,GITHUB_REPOSITORYandrefs:refs/heads/<GITHUB_BRANCH>to match with your conditions. On your GitHub Actions add permission for the action to write OIDC (see the following example)
# Need ID token write permission to use OIDC
permissions:
id-token: write
jobs:
run_job_with_aws:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@main # Or a specific version
with:
role-to-assume: <Role ARN you created in step 2>
aws-region: <AWS Region you want to use>
- name: Additional steps
run: |
# Your commands that require AWS credentials
aws sts get-caller-identity
And we're done. Very simple and neat, with this we can rely on the Token exchange mechanism between GitHub and AWS and can now remove the secrets on GitHub (which by security policy, those even being kept secret should always be rotated. And we no longer need to do that, one less task to keep our Security guys happy :))
Conclusion
This is a comprehensive walkthrough which most of the content are just wrapping up the aws-actions github content, it is an easy-to-follow and can improve your security posture towards AWS deployment.
By creating it secure in the first place, you would not have to spend time to retroactively improve it. But even so, improving security is always a good thing (especially if there is no drawback on performance). Hope you find it a good tip to enhance your GitHub Actions with AWS.
Happy Coding. :)
References:
Top comments (0)