Github Actions & AWS OIDC
For a while, you’ve had to resort to IAM credentials with an IAM user to provide GitHub Actions (hosted by GitHub) access into your AWS environment.
Well, now there is another method for authentication.
GitHub recently announced (at the time of writing this) OIDC support for GitHub Actions. This means that you can use GitHub with your own identity provider, in this case that’s AWS.
Setting up AWS
To get started, you’ll have to create your identity provider on AWS.
- Login to your AWS account and go to IAM > Identity Provider, and click “Add Provider”
2. Add the provider url https://token.actions.githubusercontent.com and audience of https://github.com/(your org name)
3. You’ll also need a role to which your provider will assume. Below is a role’s trust policy which allows the identity provider access.
Setting up Github
Now you’re going to need a workflow file for your GitHub Actions to use. Below is an example of a workflow with authentication only.
# .github/workflows/example.yamlName: my-workflow
on:
push: {}jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
run:
- name: Auth with AWS
run:|
export AWS_ROLE_ARN=arn:aws:iam::012345678910:role/YourIAMRole
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
export AWS_DEFAULT_REGION=us-east-1
echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV
curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILEapt-get install awscli
temp_role=$(aws sts assume-role-with-web-identity \
--web-identity-token file://$AWS_WEB_IDENTITY_TOKEN_FILE \ --role-arn "arn:aws:iam::<aws_account_number>:role/<role_name>" \ --role-session-name "<some_session_name>")
export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq -r .Credentials.AccessKeyId) >> GITHUB_ENV echo "::add-mask::$AWS_ACCESS_KEY_ID"
export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq -r .Credentials.SecretAccessKey) >> $GITHUB_ENV echo "::add-mask::$AWS_SECRET_ACCESS_KEY"
export AWS_SESSION_TOKEN=$(echo $temp_role | jq -r .Credentials.SessionToken) >> $GITHUB_ENV
echo "::add-mask::$AWS_SESSION_TOKEN"
This will export temporary credentials to your GitHub Actions environment. You don’t necessarily need to export the credentials however, if you do not, all calls made to AWS will be made via OIDC using the JWT token. Which means that GitHub Actions will need to respond with the verification key for each request, which is likely to get rate limited.
If you have multiple jobs that require AWS credentials, it would be best to setup an authentication job and pass the credentials via GitHub Actions Artifacts
Thank you for reading.
