Some rough cloudformation to add OIDC support for Github in AWS.
- Create new identity provider for Github. (
1b511abead59c6ce207077c0bf0e0043b1382612
is the known thumbprint for Github).
Note, you can discover current thumbprint using openssl.
$ openssl s_client -servername token.actions.githubusercontent.com -showcerts -connect token.actions.githubusercontent.com:443 < /dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sed "0,/-END CERTIFICATE-/d" > certificate.crt $ openssl x509 -in certificate.crt -fingerprint -noout | cut -f2 -d'=' | tr -d ':' | tr '[:upper:]' '[:lower:]' 1b511abead59c6ce207077c0bf0e0043b1382612
GitHubIdentityProvider:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ThumbprintList:
- 1b511abead59c6ce207077c0bf0e0043b1382612
ClientIdList:
- sts.amazonaws.com
- Create IAM role which you will impersonate in Github actions. This role should have adequate permissions to do whatever you wanna do via Github actions. You can use
ManagedPolicyArns
to specify a custom managed policy (or, alternatively, use AWS managed policies) defining those permissions. Make sure to use your account ID instead of 1s.
GitHubActionsServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Sid: RoleForGitHubActions
Effect: Allow
Principal:
Federated: arn:aws:iam::111111111111:oidc-provider/token.actions.githubusercontent.com
Action:
- sts:AssumeRoleWithWebIdentity
Condition:
StringEquals:
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
StringLike:
"token.actions.githubusercontent.com:sub": "repo:{YOUR_GITHUB_ORG}/{YOUR_GITHUB_REPO_OR_WILDCARD_FOR_ALL}"
Description: Service Role for use in GitHub Actions
ManagedPolicyArns:
- !Ref ManagedPolicyARN
RoleName: GithubActionsRole
- Throw these into a template and get them deployed.
- The only thing left is to modify your Github workflow to request AWS credentials using the above role ARN. You must define
id-token
permission in the workflow. And once again, replace 1s with your actual AWS account number and specify the region.
jobs:
deploy:
permissions:
id-token: write
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::111111111111:role/GithubActionsRole
role-session-name: YOUR_SESSION_NAME
aws-region: YOUR_REGION