💸Save up to $132K/month in CI costs!👉 Try Free
Skip to main content
← Back to workflows

How to Configure AWS Credentials for GitHub Actions?

aws-actions/configure-aws-credentials -
GitHub Action
v4.0.2
2,444
Contributors
Contributor - aws-sdk-osds
Categories
GitHub

Optimize Your CI/CD Pipeline

Get instant insights into your CI/CD performance and costs. Reduce build times by up to 45% and save on infrastructure costs.

45% Faster Builds
60% Cost Reduction
View Documentation →
Usage
- name: "Configure AWS Credentials" Action for GitHub Actions
  uses: aws-actions/configure-aws-[email protected]

configure-aws-credentials logo

configure-aws-credentials

Configure AWS credential environment variables for use in other GitHub Actions.

When to use the configure-aws-credentials GitHub Action?

I just dove into setting up AWS credentials for GitHub Actions. This method is particularly helpful for managing AWS interactions within GitHub workflows without hardcoding sensitive info.

Essentially, it leverages the AWS JavaScript SDK to resolve credentials and then exports them as environment variables, so other Actions in your workflow can use them seamlessly. This avoids the unsafe practice of embedding long-term IAM credentials in your repository.

The key takeaway here is to use GitHub's OIDC provider to fetch temporary credentials securely. This involves setting up an IAM role with specific permissions and linking it to GitHub via the OIDC protocol. It's a safer alternative to using static access keys, as it adheres to AWS's recommended security practices such as least privilege and credential rotation.

For anyone using GitHub Enterprise Server, you'll need to adjust the setup to fit the enterprise environment, especially the URLs and identity providers.

Moreover, the action supports several methods for retrieving AWS credentials, but the standout option is the OIDC integration. It's pretty straightforward once set up: your workflows can assume an AWS role to obtain temporary credentials, which are then used for making AWS API calls.

In summary, this GitHub Action not only simplifies the authentication process but also enhances security when interacting with AWS services in CI/CD pipelines. It's invaluable for teams looking to automate and secure their cloud operations within GitHub Actions.

How to Set Up OIDC with AWS?

To configure AWS credentials in GitHub Actions using OIDC, follow these steps:

  • First, establish a trust relationship between AWS IAM and GitHub's OIDC provider. This involves configuring IAM to accept JSON Web Tokens (JWTs) from GitHub.
  • You can set this up through the AWS management console or by using a CloudFormation template.
# Example CloudFormation template snippet
Resources:
  GithubOidc:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ClientIdList:
        - sts.amazonaws.com
      ThumbprintList:
        - "fffffffffffffffffffffffffffffffffffffff"

How to Use the Action to Fetch Credentials?

Once OIDC is configured in your AWS account, add the aws-actions/configure-aws-credentials action to your GitHub workflow to fetch temporary AWS credentials:

- name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-region: us-east-1
    role-to-assume: arn:aws:iam::123456789012:role/my-github-actions-role

How to Define Permissions and Roles?

Define the IAM role and its permissions that GitHub Actions will assume:

  • Create an IAM role that outlines what tasks the GitHub Actions can perform.
  • The role should only have the necessary permissions to perform its intended tasks, adhering to the least privilege principle.
# Example policy snippet
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

How to Set Workflow Permissions?

Ensure that your GitHub workflow file includes the necessary permissions to generate and use OIDC tokens:

permissions:
  id-token: write
  contents: read

How to Customize the Credential Settings?

You can customize various settings of the configure-aws-credentials action to suit your needs, such as specifying the AWS region or the role session name.

- name: Configure AWS Credentials with Custom Session Name
  uses: aws-actions/configure-aws-credentials@v4
  with:
    aws-region: us-east-2
    role-to-assume: arn:aws:iam::123456789012:role/my-github-actions-role
    role-session-name: MyCustomSession

How to Troubleshoot and Configure Advanced Settings?

For advanced configurations, like operating in non-standard AWS partitions or using a web identity token, the action supports additional parameters.

- name: Configure AWS Credentials for China region
  uses: aws-actions/configure-aws-credentials@v4
  with:
    audience: sts.amazonaws.com.cn
    aws-region: cn-north-1
    role-to-assume: arn:aws-cn:iam::123456789012:role/my-github-actions-role

These steps guide you through the secure integration of AWS credentials into GitHub Actions, leveraging OIDC for enhanced security and compliance.