Skip to main content
HashnodeUntitled Publication

Command Palette

Search for a command to run...

Integrating GitHub Actions with AWS using OIDC

Updated
3 min read
A
Arun Chandel

Introduction: What is OIDC

Today, we're deploying our GithHub code using GitHub Actions with OpenID Connect (OIDC). OpenID Connect (OIDC) is providing an extra layer of protection. It allows GitHub Actions to assume an IAM role in AWS directly, eliminating the need to store long-term credentials. It's a way to give users access to AWS resources without having to manage their credentials directly. Instead of storing usernames and passwords, AWS OIDC relies on a trusted third party to authenticate users.

This reduces the risk of credential theft and simplifies the management of access to your AWS resources.

Security

Have you ever wondered how you can securely manage access to your AWS resources without Access keys and Secret Keys?
AWS OIDC might sound like a complex term, but it's actually a straightforward concept once you break it down. Let's implement it step by step.

Step 1: Creating an OIDC Provider for GitHub

  1. Open the IAM Console: Log in to your AWS Management Console and navigate to the IAM (Identity and Access Management) service.

  2. Access Identity Providers: In the left navigation menu, click on "Identity providers."

  3. Add a New Provider: In the Identity providers pane, click on "Add provider."

  4. Select Provider Type: For the provider type, choose "OpenID Connect."

  5. Enter Provider URL: For the Provider URL, enter the GitHub OIDC IdP URL: https://token.actions.githubusercontent.com.

  6. Get Thumbprint: Click on "Get thumbprint" to verify the server certificate of your IdP. For more information on OIDC thumbprints, refer to the AWS documentation on Obtaining the thumbprint for an OpenID Connect Identity Provider.

  7. Specify Audience: For the Audience, enter sts.amazonaws.com. This allows the AWS Security Token Service (AWS STS) API to be called by this IdP.

Step 2: Creating an IAM Role and Scope the Trust Policy

  1. Create Role: On the Create role page, "Web identity" should be already selected as the trusted entity, and the Identity provider field should be populated with your IdP. In the Audience list, select sts.amazonaws.com, and then click "Next."

  2. Set Permissions: On the Permissions page, click "Next." You can add permissions as needed.

  3. Add Tags (Optional): On the Tags page, you can add tags to this new role, and then click "Next: Review."

  4. Review and Create Role: On the Create role page, enter a role name, such as "GitHubAction-AssumeRoleWithAction." Optionally, add a description. Click "Create role" to finalize the creation of the role.

Trust Relationship Policy

Ensure that the trust relationship policy for the IAM role looks like this:

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Principal": {
 "Federated": "arn:aws:iam::123456789:oidc-provider/token.actions.githubusercontent.com"
 },
 "Action": "sts:AssumeRoleWithWebIdentity",
 "Condition": {
 "StringEquals": {
 "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
 }
 }

By following these steps, you'll have set up an OIDC provider for GitHub and created an IAM role that can be assumed by GitHub Actions. This setup enhances the security of AWS resources by leveraging the identity federation between GitHub and AWS

Step 2: Create GitHub Actions Workflow

With our IAM role ready, we proceed to our GitHub repository and seamlessly integrate the OIDC step into our GitHub Actions workflow as follows:

jobs:
  deploy:
    permissions:
      id-token: write
      contents: read
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::123456789012:role/MyGitHubActionsRole
          aws-region: us-east-1

This setup will allow GitHub action to use AWS reources without access key and secret key. Now final step to test the setup, how is it working!

Step 3: Deploy GitHub Code on AWS

Finally, we triggered the GitHub Action CI/CD pipeline, and it successfully deployed our GitHub code to AWS. This integration worked flawlessly.

Success in Integrating AWS OIDC with GitHub Actions

In this article we show step by step how to create OIDC provider, attach IAM role with it and integrate it with GitHub Action deployment.

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Untitled Publication

2 posts