GitHub Actions and AWS OIDC Roles

This morning, while adding a GitHub Action deployment to push to AWS, I took a quick sojourn into how to use GitHub’s short-lived OIDC session tokens, as opposed to creating yet another AWS access key. The documentation is in a few places and mostly ‘reference’ grade, but this is all you need to actually do:

Add the OIDC provider

Add an OIDC provider to AWS. Use these values:
- Provider: token.actions.githubusercontent.com
- Audience: sts.amazonaws.com
- Fingerprints: no longer needed, Amazon and GitHub have these synced

Create an AWS Role

Add a new role and configure the Trust relationships in IAM like this. GitHub has comprehensive documentation about the ways sub gets presented, but it can be hard to follow at first; environments seem like a sane option. You can’t use the other claims the GitHub OIDC includes, as AWS doesn’t import them.

 1{
 2    "Version": "2012-10-17",
 3    "Statement": [
 4        {
 5            "Effect": "Allow",
 6            "Principal": {
 7                "Federated": "arn:aws:iam::5555555555:oidc-provider/token.actions.githubusercontent.com"
 8            },
 9            "Action": "sts:AssumeRoleWithWebIdentity",
10            "Condition": {
11                "StringEquals": {
12                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
13                },
14                "ForAnyValue:StringEquals": {
15                    "token.actions.githubusercontent.com:sub": [
16                        "repo:jamesez/my-lambda:environment:east-one",
17                        "repo:jamesez/my-lambda:environment:west-two"
18                    ]
19                }
20            }
21        }
22    ]
23}

You then assign any permissions to the role, as appropriate.

Action changes

The Action needs write on id-token. Checkout needs contents: read, so you have to mention both:

1permissions:
2  id-token: write
3  contents: read

Then add the configure-aws-credentials action to your Action workflow to obtain AWS keys. Something like this - where the role-to-assume is the role you created above. Remove any AWS secrets you might be setting in Actions.

Note: needs to be version 2 or higher; update if it’s below.

1      - name: Log into AWS
2        uses: aws-actions/configure-aws-credentials@v2
3        with:
4          aws-region: ${{ matrix.region }}
5          role-to-assume: arn:aws:iam::5555555555:role/github-action-role-name

Here’s an example deploy phase that uses a matrix to deploy a Lambda to two environments.

 1deploy:
 2	needs: build
 3    runs-on: ubuntu-latest
 4    strategy:
 5      matrix:
 6        include:
 7          - environment: east-one
 8            region: us-east-1
 9          - environment: west-two
10            region: us-west-2
11
12    environment:
13      name: ${{ matrix.environment }}
14
15    steps:
16      - name: Download deployment.zip
17        uses: actions/download-artifact@v2.1.1
18
19      - name: Display structure of downloaded files
20        run: ls -R
21
22      - name: Log into AWS
23        uses: aws-actions/configure-aws-credentials@v2
24        with:
25          aws-region: ${{ matrix.region }}
26          role-to-assume: arn:aws:iam::555555555:role/github-action-role-name
27
28      - name: Deploy
29        uses: kazimanzurrashid/aws-lambda-update-action@695db4dd92dbd6ee63f1f014bea6f868affa469a
30        with:
31          zip-file: deployment/deployment.zip
32          lambda-name: my-lambda

Additional Links

GitHub: Configuring OIDC with AWS