Configuring temporary AWS credentials for GitHub Actions

Disclaimer: Do not take the information here as a good or best practice. The purpose of this site is to post my learnings in somewhat real time.

Create an OIDC IdP on AWS

This needs to be done once for an AWS account, this configures the trust between AWS and GitHub through OIDC.

Create an OpenID Connect identity provider for GitHub on AWS. From the IAM console, choose Identity providers and then Add provider.

• Select OpenID Connect
• Provider URL: https://token.actions.githubusercontent.com
• Audience: sts.amazonaws.com

Create a role

Create a role to be assumed when your GitHub action is excuted.

1. From the IAM console, choose Roles and then Create role. Select Web identity followed by the GitHub Identity provider and audience details.

2. On the next page, assign a permission policy that is required to execute your GitHub action.

3. On the next page, enter a Role name, Role description and the following under Condition in Select trusted entities. Replace <username> and <repository> with the relevant GitHub repository information. More information on trust policies can be found on Github.

"StringLike": {
  "token.actions.githubusercontent.com:sub": "repo:<username>/<repository>:*"
}

4. Finally, click Create role and copy the role ARN.

Create the GitHub action

Add permissions to the top of your workflow YAML file or within a job level to limit the scope.

permissions:
  id-token: write
  contents: read

Define the configure-aws-credentials GitHub action with the role-to-assume paramter, additional paramters can be found on the action README.

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v1
  with:
    role-to-assume: arn:aws:iam::012345678999:role/xxxxxx
    aws-region: eu-west-1

You are now done!

Here’s what a complete workflow for deploying a Hugo site to S3 would look like.

name: Deploy Hugo site

on:
  push:
    branches:
      - master

permissions:
  id-token: write
  contents: read

jobs:
  build:
    name: Build and Deploy
    runs-on: ubuntu-latest
    steps:

    - name: Checkout code
      uses: actions/checkout@v2
      with:
        submodules: true
        fetch-depth: 0

    - name: Setup Hugo
      uses: peaceiris/actions-hugo@v2
      with:
        hugo-version: '0.68.3'
        extended: true

    - name: Build
      run: hugo --minify --buildFuture
    
    - name: Configure credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: arn:aws:iam::012345678999:role/xxxxxxxx
        aws-region: eu-west-1

    - name: Deploy
      run: aws s3 sync --size-only public s3://example-website-bucket/

Troubleshooting

Authentication issues

If you have trouble authenticate consider updating the Identity Provider thumbprints as outlined in this GitHub changelog.

Resources

• aws-actions/configure-aws-credentials
• Configuring OpenID Connect in Amazon Web Services - GitHub
• Securely Access Your AWS Resources From GitHub Actions