Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Run thumbprint.sh to deploy the provider.yml file into each of your managed AWS accounts. This creates an OIDC Provider that a template like the oidc-role-example.yml can use to create a role. This role can then be assume by your GitHub action
name: OIDC Example action
on:
workflow_dispatch:
push:
branches:
- main
jobs:
example:
name: Example S3 copy with OIDC
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.OIDC_ROLE_AWS_ROLE_TO_ASSUME }}
aws-region: ${{ secrets.OIDC_ROLE_AWS_REGION }}
- name: AWS S3 Example
run: aws s3 cp file.txt s3://greengrass-component-artifacts-ap-southeast-2-123456789012
AWSTemplateFormatVersion: 2010-09-09
Description: 'GitHub OIDC: t04glovern/repo-name | Stack: oidc-t04glovern-repo-name'
Parameters:
FullRepoName:
Type: String
Default: t04glovern/repo-name
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: oidc-t04glovern-repo-name
Policies:
- PolicyName: s3-example-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:GetObject
Resource:
- !Sub arn:aws:s3:::greengrass-component-artifacts-${AWS::Region}-${AWS::AccountId}/*
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRoleWithWebIdentity
Principal:
Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
Condition:
StringLike:
token.actions.githubusercontent.com:sub: !Sub repo:${FullRepoName}:*
Outputs:
OidcRoleAwsAccountId:
Value: !Ref AWS::AccountId
OidcRoleAwsRegion:
Value: !Ref AWS::Region
OidcRoleAwsRoleToAssume:
Value: !GetAtt Role.Arn
AWSTemplateFormatVersion: 2010-09-09
Description: 'GitHub OIDC: Provider - Deployed once into each account'
Parameters:
GithubOrg:
Type: String
GithubTokenThumbprint:
Type: String
Default: 6938fd4d98bab03faadb97b34396831e3780aea1
Resources:
GithubOidc:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ThumbprintList:
- !Ref GithubTokenThumbprint
ClientIdList:
- sts.amazonaws.com
#!/bin/bash
# This script is used to automatically rotate the root account OIDC thumbprint
# Script requires `jq` and `openssl` to be installed.
HOST=$(curl https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration \
| jq -r '.jwks_uri | split("/")[2]')
THUMBPRINT=$(echo \
| openssl s_client -servername $HOST -showcerts -connect $HOST:443 2> /dev/null \
| sed -n -e '/BEGIN/h' -e '/BEGIN/,/END/H' -e '$x' -e '$p' \
| tail +2 \
| openssl x509 -fingerprint -noout \
| sed -e "s/.*=//" -e "s/://g" \
| tr "ABCDEF" "abcdef")
AWS_REGION=ap-southeast-2
GITHUB_USERNAME=YourGithubUser
aws cloudformation deploy \
--template-file provider.yml \
--stack-name oidc-provider-$AWS_REGION \
--parameter-overrides \
GithubTokenThumbprint=$THUMBPRINT \
GithubOrg=$GITHUB_USERNAME \
--region $AWS_REGION
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment