- name: "Configure AWS Credentials" Action for GitHub Actions
uses: aws-actions/configure-aws-[email protected]
configure-aws-credentials
Configure AWS credential environment variables for use in other GitHub Actions.
When to use the configure-aws-credentials
GitHub Action?
I just dove into setting up AWS credentials for GitHub Actions. This method is particularly helpful for managing AWS interactions within GitHub workflows without hardcoding sensitive info.
Essentially, it leverages the AWS JavaScript SDK to resolve credentials and then exports them as environment variables, so other Actions in your workflow can use them seamlessly. This avoids the unsafe practice of embedding long-term IAM credentials in your repository.
The key takeaway here is to use GitHub's OIDC provider to fetch temporary credentials securely. This involves setting up an IAM role with specific permissions and linking it to GitHub via the OIDC protocol. It's a safer alternative to using static access keys, as it adheres to AWS's recommended security practices such as least privilege and credential rotation.
For anyone using GitHub Enterprise Server, you'll need to adjust the setup to fit the enterprise environment, especially the URLs and identity providers.
Moreover, the action supports several methods for retrieving AWS credentials, but the standout option is the OIDC integration. It's pretty straightforward once set up: your workflows can assume an AWS role to obtain temporary credentials, which are then used for making AWS API calls.
In summary, this GitHub Action not only simplifies the authentication process but also enhances security when interacting with AWS services in CI/CD pipelines. It's invaluable for teams looking to automate and secure their cloud operations within GitHub Actions.
How to Set Up OIDC with AWS?
To configure AWS credentials in GitHub Actions using OIDC, follow these steps:
- First, establish a trust relationship between AWS IAM and GitHub's OIDC provider. This involves configuring IAM to accept JSON Web Tokens (JWTs) from GitHub.
- You can set this up through the AWS management console or by using a CloudFormation template.
# Example CloudFormation template snippet
Resources:
GithubOidc:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- "fffffffffffffffffffffffffffffffffffffff"
How to Use the Action to Fetch Credentials?
Once OIDC is configured in your AWS account, add the aws-actions/configure-aws-credentials
action to your GitHub workflow to fetch temporary AWS credentials:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::123456789012:role/my-github-actions-role
How to Define Permissions and Roles?
Define the IAM role and its permissions that GitHub Actions will assume:
- Create an IAM role that outlines what tasks the GitHub Actions can perform.
- The role should only have the necessary permissions to perform its intended tasks, adhering to the least privilege principle.
# Example policy snippet
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
How to Set Workflow Permissions?
Ensure that your GitHub workflow file includes the necessary permissions to generate and use OIDC tokens:
permissions:
id-token: write
contents: read
How to Customize the Credential Settings?
You can customize various settings of the configure-aws-credentials
action to suit your needs, such as specifying the AWS region or the role session name.
- name: Configure AWS Credentials with Custom Session Name
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: us-east-2
role-to-assume: arn:aws:iam::123456789012:role/my-github-actions-role
role-session-name: MyCustomSession
How to Troubleshoot and Configure Advanced Settings?
For advanced configurations, like operating in non-standard AWS partitions or using a web identity token, the action supports additional parameters.
- name: Configure AWS Credentials for China region
uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com.cn
aws-region: cn-north-1
role-to-assume: arn:aws-cn:iam::123456789012:role/my-github-actions-role
These steps guide you through the secure integration of AWS credentials into GitHub Actions, leveraging OIDC for enhanced security and compliance.