The latest articles on DEV Community by Gaurish Naik (@gaurishxjfk). https://dev.to/gaurishxjfk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2193592%2Fd705033a-dbbf-4afe-908e-4e2bc16c16ab.jpg https://dev.to/gaurishxjfk en Gaurish Naik Sun, 13 Apr 2025 09:17:14 +0000 https://dev.to/gaurishxjfk/deploy-static-web-apps-to-aws-s3-using-github-actions-45lb https://dev.to/gaurishxjfk/deploy-static-web-apps-to-aws-s3-using-github-actions-45lb <p>This guide will help you securely deploy a static web application (e.g., Next.js, Vite) to an AWS S3 bucket using GitHub Actions and an IAM Role.</p> <h2> Step 1: Create an IAM Role in AWS </h2> <ol> <li> <strong>Log in to the AWS Management Console</strong> and navigate to <strong>IAM &gt; Roles</strong>.</li> <li>Click <strong>Create Role</strong>.</li> <li>Select <strong>Web Identity</strong> as the trusted entity type.</li> <li>Under <strong>Identity Provider</strong>, choose <code>token.actions.githubusercontent.com</code>. If it doesn’t exist: <ul> <li>Click <strong>Create Provider</strong>.</li> <li>Set <strong>Provider Type</strong> to <strong>OpenID Connect</strong>.</li> <li>Enter <code>token.actions.githubusercontent.com</code> as the <strong>Provider URL</strong>.</li> <li>Set <strong>sts.amazonaws.com</strong> as the <strong>Audience</strong>.</li> <li>Click <strong>Save</strong>.</li> </ul> </li> <li>Return to the <strong>Create Role</strong> screen, select <code>token.actions.githubusercontent.com</code>, and confirm <strong>sts.amazonaws.com</strong> as the audience.</li> <li> <strong>Add Permissions</strong>: Choose a policy like <code>AdministratorAccess</code> (for simplicity) or a custom policy with least privilege for production.</li> <li> <strong>Set Trust Policy</strong>: Ensure the policy matches the following (replace placeholders with your values): </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:oidc-provider/token.actions.githubusercontent.com"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts.amazonaws.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token.actions.githubusercontent.com:sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"repo:&lt;GITHUB_USERNAME&gt;/&lt;REPO_NAME&gt;:ref:refs/heads/&lt;BRANCH_NAME&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li> <strong>Name the Role</strong> (e.g., <code>GitHubActionsRole</code>) and click <strong>Create Role</strong>.</li> </ol> <h2> Step 2: Configure GitHub Repository Secrets </h2> <ol> <li>Go to your <strong>GitHub repository</strong>.</li> <li>Navigate to <strong>Settings &gt; Secrets and Variables &gt; Actions</strong>.</li> <li>Add the following secrets: <ul> <li> <code>AWS_ROLE_ARN</code>: The ARN of the IAM role (e.g., <code>arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/GitHubActionsRole</code>).</li> <li> <code>AWS_REGION</code>: Your AWS region (e.g., <code>us-east-1</code>).</li> <li> <code>S3_BUCKET</code>: The name of your S3 bucket (e.g., <code>my-app-bucket</code>).</li> </ul> </li> </ol> <h2> Step 3: Create a GitHub Actions Workflow </h2> <ol> <li>In your repository, create a file at <code>.github/workflows/deploy.yml</code>.</li> <li>Add the following YAML configuration to automate the deployment to S3: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy to S3</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Configure AWS Credentials</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">aws-actions/configure-aws-credentials@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">role-to-assume</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ROLE_ARN }}</span> <span class="na">aws-region</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_REGION }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify AWS Role Assumption</span> <span class="na">run</span><span class="pi">:</span> <span class="s">aws sts get-caller-identity</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Application</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Next.js to S3</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ -d "out" ]; then</span> <span class="s">echo "✅ Found 'out/' directory (Next.js export). Deploying..."</span> <span class="s">aws s3 sync out/ s3://${{ secrets.S3_BUCKET }}/ --delete --cache-control "public, max-age=0, must-revalidate"</span> <span class="s">else</span> <span class="s">echo "❌ 'out/' directory not found. Build may have failed."</span> <span class="s">exit 1</span> <span class="s">fi</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Deploy Vite to S3</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">if [ -d "dist" ]; then</span> <span class="s">echo "✅ Found 'dist/' directory (Vite). Deploying..."</span> <span class="s">aws s3 sync dist/ s3://${{ secrets.S3_BUCKET }}/ --delete --cache-control "public, max-age=0, must-revalidate"</span> <span class="s">else</span> <span class="s">echo "❌ 'dist/' directory not found. Build may have failed."</span> <span class="s">exit 1</span> <span class="s">fi</span> </code></pre> </div> <h2> Explanation of the Workflow </h2> <ul> <li> <strong>Trigger</strong>: The workflow is triggered when a push is made to the <code>main</code> branch.</li> <li> <strong>Permissions</strong>: Grants access to the GitHub OIDC token and repository contents.</li> <li> <strong>Steps</strong>: <ol> <li> <strong>Checkout code</strong>: Uses <code>actions/checkout</code> to pull the latest code.</li> <li> <strong>Configure AWS Credentials</strong>: Uses <code>aws-actions/configure-aws-credentials</code> to authenticate using the IAM role.</li> <li> <strong>Verify Role Assumption</strong>: Confirms that the AWS role has been assumed successfully.</li> <li> <strong>Install Dependencies</strong>: Runs <code>npm install</code> to install the necessary packages.</li> <li> <strong>Build Application</strong>: Executes <code>npm run build</code> to generate the production build.</li> <li> <strong>Deploy to S3</strong>: Syncs the build output (either <code>out/</code> for Next.js or <code>dist/</code> for Vite) to the S3 bucket, ensuring the removal of outdated files and setting proper cache headers.</li> </ol> </li> </ul> <h2> Notes </h2> <ul> <li> <strong>Replace placeholders</strong>: Ensure that you replace <code>&lt;AWS_ACCOUNT_ID&gt;</code>, <code>&lt;GITHUB_USERNAME&gt;</code>, <code>&lt;REPO_NAME&gt;</code>, and <code>&lt;BRANCH_NAME&gt;</code> with your actual values.</li> <li> <strong>Least-privilege policy</strong>: For production environments, use a least-privilege IAM policy instead of <code>AdministratorAccess</code>.</li> <li> <strong>S3 static website hosting</strong>: If you’re serving the app directly from S3, make sure your S3 bucket is configured for static website hosting.</li> </ul> aws githubactions vite cicd