Not so long ago, support for OIDC tokens appeared in github actions, which makes it possible to interact with different systems in passwordless mode, which seriously increases security.

In this example, I will be using cloudformation as the deployment tool.

Full example:

AWSTemplateFormatVersion: 2010-09-09

Resources:
  GithubOIDC:
    Type: AWS::IAM::OIDCProvider
    Properties:
      Url: https://token.actions.githubusercontent.com
      ThumbprintList:
        - 6938fd4d98bab03faadb97b34396831e3780aea1
      ClientIdList:
        - sts.amazonaws.com

  DeployCloudformationManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: DeployCloudformationManagedPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowToManageCloudformation
            Effect: Allow
            Resource: "*"
            Action:
              - "cloudformation:*"
              - "iam:*"

  DeployLambdaCode:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowLambda
            Effect: Allow
            Resource: "*"
            Action:
              - "s3:*"
              - "lambda:*"

  repoMetatronCvm:
    Type: AWS::IAM::Role
    Properties:
      RoleName: github-actions-metatron-cvm
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !Ref GithubOIDC
            Condition:
              StringEquals:
                token.actions.githubusercontent.com:aud: sts.amazonaws.com
                token.actions.githubusercontent.com:sub:
                  - repo:metatron-code/metatron-cvm:ref:refs/heads/main
      Path: "/"
      ManagedPolicyArns:
        - !Ref DeployCloudformationManagedPolicy
        - !Ref DeployLambdaCode

And actually, to log in to the workflow, we add two points:

  • in permissions add id-token: write
  • step with authorization

Example:

name: Deploy

on: workflow_dispatch

jobs:
  deploy:
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main'

    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - uses: actions/setup-go@v4
        with:
          go-version: '1.20'

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::<your account id>:role/github-actions-metatron-cvm

      - name: Deploy
        run: make deploy