Github Actions & AWS

1. Create a role: To enable GitHub Actions to access resources within an AWS account without requiring long-lived credentials to be stored as GitHub secrets
2. Use Role in Github Actions

Create a role

I’ll be using terraform to create a to configure GitHub Actions as an IAM OIDC identity provider in AWS

├── oidc-github
│   ├── README.md
│   ├── config.tf
│   └── oidc.tf
# create a directory
mkdir oidc-github; cd oidc-github

use terraform remote state

#config.tf
provider "aws" {
  region  = "us-east-2"
}

terraform {
  required_version = ">= 1.0"

  backend "s3" {
    bucket    = "{MY BUCKET}"
    key       = "MY_KEY"
    encrypt   = true
    region    = "us-east-2"
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

specify github repo

#oidc.tf
module "aws_oidc_github" {
  source  = "unfunco/oidc-github/aws"
  version = "0.5.0"

  github_organisation = "MYORG"
  github_repositories = ["MYREPO"]
}

Terraform

terraform init
terraform apply

Use role for Github Action

A working example github action to list S3 buckets

name: Pull Request Verification

on:
  pull_request:

# permission can be added at job level or workflow level
permissions:
  id-token: write
  contents: read    # This is required for actions/checkout@v2

jobs:
build-docker-image:
  name: Configure AWS and List S3 buckets
  runs-on: ubuntu-latest
  steps:
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@master
      with:
        aws-region: us-east-2
        role-to-assume: "ROLE_FROM_STEP_1"
    - name: S3 list buckets
      run: |
        aws s3 ls