Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWSTemplateFormatVersion: 2010-09-09
# See https://github.com/aws-actions/configure-aws-credentials#sample-iam-role-cloudformation-template
Parameters:
GitHubOrg:
Type: String
RepositoryName:
Type: String
BranchName:
Type: String
Default: "*"
GitHubOIDCProviderArn:
Type: String
Conditions:
AllowAllBranches: !Equals
- !Ref BranchName
- "*"
Resources:
RepositoryPublisherRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Ref GitHubOIDCProviderArn
Condition:
ForAllValues:StringLike:
token.actions.githubusercontent.com:aud: sts.amazonaws.com
token.actions.githubusercontent.com:sub: !If
- AllowAllBranches
- !Sub repo:${GitHubOrg}/${RepositoryName}:*
- !Sub repo:${GitHubOrg}/${RepositoryName}:ref:refs/heads/${BranchName}
Policies:
- PolicyName: publish-to-repo
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- codeartifact:GetAuthorizationToken
- codeartifact:GetRepositoryEndpoint
- codeartifact:PublishPackageVersion
- codeartifact:PutPackageMetadata
- sts:GetServiceBearerToken
Effect: Allow
Resource: "*"
Outputs:
RepositoryRoleArn:
Value: !GetAtt RepositoryRole.Arn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment