t04glovern/github-action-example.yml

## github-action-example.yml
name: OIDC Example action

on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  example:
    name: Example S3 copy with OIDC
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
    - name: Checkout
      uses: actions/checkout@v3

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: ${{ secrets.OIDC_ROLE_AWS_ROLE_TO_ASSUME }}
        aws-region: ${{ secrets.OIDC_ROLE_AWS_REGION }}

    - name: AWS S3 Example
      run: aws s3 cp file.txt s3://greengrass-component-artifacts-ap-southeast-2-123456789012

## oidc-role-example.yml
AWSTemplateFormatVersion: 2010-09-09
Description: 'GitHub OIDC: t04glovern/repo-name | Stack: oidc-t04glovern-repo-name'

Parameters:
  FullRepoName:
    Type: String
    Default: t04glovern/repo-name

Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: oidc-t04glovern-repo-name
      Policies:
        - PolicyName: s3-example-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource:
                  - !Sub arn:aws:s3:::greengrass-component-artifacts-${AWS::Region}-${AWS::AccountId}/*
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
            Condition:
              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${FullRepoName}:*

Outputs:
  OidcRoleAwsAccountId:
    Value: !Ref AWS::AccountId
  OidcRoleAwsRegion:
    Value: !Ref AWS::Region
  OidcRoleAwsRoleToAssume:
    Value: !GetAtt Role.Arn

## provider.yml
AWSTemplateFormatVersion: 2010-09-09
Description: 'GitHub OIDC: Provider - Deployed once into each account'

Parameters:
  GithubOrg:
    Type: String
  GithubTokenThumbprint:
    Type: String
    Default: 6938fd4d98bab03faadb97b34396831e3780aea1

Resources:
  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ThumbprintList:
        - !Ref GithubTokenThumbprint
      ClientIdList:
        - sts.amazonaws.com

## thumbprint.sh
#!/bin/bash

# This script is used to automatically rotate the root account OIDC thumbprint
# Script requires `jq` and `openssl` to be installed.

HOST=$(curl https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration \
| jq -r '.jwks_uri | split("/")[2]')

THUMBPRINT=$(echo \
| openssl s_client -servername $HOST -showcerts -connect $HOST:443 2> /dev/null \
| sed -n -e '/BEGIN/h' -e '/BEGIN/,/END/H' -e '$x' -e '$p' \
| tail +2 \
| openssl x509 -fingerprint -noout \
| sed -e "s/.*=//" -e "s/://g" \
| tr "ABCDEF" "abcdef")

AWS_REGION=ap-southeast-2
GITHUB_USERNAME=YourGithubUser

aws cloudformation deploy \
    --template-file provider.yml \
    --stack-name oidc-provider-$AWS_REGION \
    --parameter-overrides \
        GithubTokenThumbprint=$THUMBPRINT \
        GithubOrg=$GITHUB_USERNAME \
    --region $AWS_REGION
	name: OIDC Example action

	on:
	workflow_dispatch:
	push:
	branches:
	- main

	jobs:
	example:
	name: Example S3 copy with OIDC
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read

	steps:
	- name: Checkout
	uses: actions/checkout@v3

	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v1
	with:
	role-to-assume: ${{ secrets.OIDC_ROLE_AWS_ROLE_TO_ASSUME }}
	aws-region: ${{ secrets.OIDC_ROLE_AWS_REGION }}

	- name: AWS S3 Example
	run: aws s3 cp file.txt s3://greengrass-component-artifacts-ap-southeast-2-123456789012
	AWSTemplateFormatVersion: 2010-09-09
	Description: 'GitHub OIDC: t04glovern/repo-name \| Stack: oidc-t04glovern-repo-name'

	Parameters:
	FullRepoName:
	Type: String
	Default: t04glovern/repo-name

	Resources:
	Role:
	Type: AWS::IAM::Role
	Properties:
	RoleName: oidc-t04glovern-repo-name
	Policies:
	- PolicyName: s3-example-policy
	PolicyDocument:
	Version: '2012-10-17'
	Statement:
	- Effect: Allow
	Action:
	- s3:GetObject
	Resource:
	- !Sub arn:aws:s3:::greengrass-component-artifacts-${AWS::Region}-${AWS::AccountId}/*
	AssumeRolePolicyDocument:
	Statement:
	- Effect: Allow
	Action: sts:AssumeRoleWithWebIdentity
	Principal:
	Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
	Condition:
	StringLike:
	token.actions.githubusercontent.com:sub: !Sub repo:${FullRepoName}:*

	Outputs:
	OidcRoleAwsAccountId:
	Value: !Ref AWS::AccountId
	OidcRoleAwsRegion:
	Value: !Ref AWS::Region
	OidcRoleAwsRoleToAssume:
	Value: !GetAtt Role.Arn
	AWSTemplateFormatVersion: 2010-09-09
	Description: 'GitHub OIDC: Provider - Deployed once into each account'

	Parameters:
	GithubOrg:
	Type: String
	GithubTokenThumbprint:
	Type: String
	Default: 6938fd4d98bab03faadb97b34396831e3780aea1

	Resources:
	GithubOidc:
	Type: AWS::IAM::OIDCProvider
	Properties:
	Url: https://token.actions.githubusercontent.com
	ThumbprintList:
	- !Ref GithubTokenThumbprint
	ClientIdList:
	- sts.amazonaws.com
	#!/bin/bash

	# This script is used to automatically rotate the root account OIDC thumbprint
	# Script requires `jq` and `openssl` to be installed.

	HOST=$(curl https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration \
	\| jq -r '.jwks_uri \| split("/")[2]')

	THUMBPRINT=$(echo \
	\| openssl s_client -servername $HOST -showcerts -connect $HOST:443 2> /dev/null \
	\| sed -n -e '/BEGIN/h' -e '/BEGIN/,/END/H' -e '$x' -e '$p' \
	\| tail +2 \
	\| openssl x509 -fingerprint -noout \
	\| sed -e "s/.*=//" -e "s/://g" \
	\| tr "ABCDEF" "abcdef")

	AWS_REGION=ap-southeast-2
	GITHUB_USERNAME=YourGithubUser

	aws cloudformation deploy \
	--template-file provider.yml \
	--stack-name oidc-provider-$AWS_REGION \
	--parameter-overrides \
	GithubTokenThumbprint=$THUMBPRINT \
	GithubOrg=$GITHUB_USERNAME \
	--region $AWS_REGION