Run thumbprint.sh to deploy the provider.yml file into each of your managed AWS accounts. This creates an OIDC Provider that a template like the oidc-role-example.yml can use to create a role. This role can then be assume by your GitHub action

github-action-example.yml

name: OIDC Example action

on: 
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  example:
    name: Example S3 copy with OIDC
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
    - name: Checkout
      uses: actions/checkout@v3

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: ${{ secrets.OIDC_ROLE_AWS_ROLE_TO_ASSUME }}
        aws-region: ${{ secrets.OIDC_ROLE_AWS_REGION }}

    - name: AWS S3 Example
      run: aws s3 cp file.txt s3://greengrass-component-artifacts-ap-southeast-2-123456789012

oidc-role-example.yml

AWSTemplateFormatVersion: 2010-09-09
Description: 'GitHub OIDC: t04glovern/repo-name | Stack: oidc-t04glovern-repo-name'

Parameters:
  FullRepoName:
    Type: String
    Default: t04glovern/repo-name

Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      RoleName: oidc-t04glovern-repo-name
      Policies:
        - PolicyName: s3-example-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource:
                  - !Sub arn:aws:s3:::greengrass-component-artifacts-${AWS::Region}-${AWS::AccountId}/*
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
            Condition:
              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${FullRepoName}:*

Outputs:
  OidcRoleAwsAccountId:
    Value: !Ref AWS::AccountId
  OidcRoleAwsRegion:
    Value: !Ref AWS::Region
  OidcRoleAwsRoleToAssume:
    Value: !GetAtt Role.Arn

provider.yml

AWSTemplateFormatVersion: 2010-09-09
Description: 'GitHub OIDC: Provider - Deployed once into each account'

Parameters:
  GithubOrg:
    Type: String
  GithubTokenThumbprint:
    Type: String
    Default: 6938fd4d98bab03faadb97b34396831e3780aea1

Resources:
  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ThumbprintList:
        - !Ref GithubTokenThumbprint
      ClientIdList:
        - sts.amazonaws.com

thumbprint.sh

#!/bin/bash

# This script is used to automatically rotate the root account OIDC thumbprint
# Script requires `jq` and `openssl` to be installed.

HOST=$(curl https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration \
| jq -r '.jwks_uri | split("/")[2]')

THUMBPRINT=$(echo \
| openssl s_client -servername $HOST -showcerts -connect $HOST:443 2> /dev/null \
| sed -n -e '/BEGIN/h' -e '/BEGIN/,/END/H' -e '$x' -e '$p' \
| tail +2 \
| openssl x509 -fingerprint -noout \
| sed -e "s/.*=//" -e "s/://g" \
| tr "ABCDEF" "abcdef")

AWS_REGION=ap-southeast-2
GITHUB_USERNAME=YourGithubUser

aws cloudformation deploy \
    --template-file provider.yml \
    --stack-name oidc-provider-$AWS_REGION \
    --parameter-overrides \
        GithubTokenThumbprint=$THUMBPRINT \
        GithubOrg=$GITHUB_USERNAME \
    --region $AWS_REGION