Not so long ago, support for OIDC tokens appeared in github actions, which makes it possible to interact with different systems in passwordless mode, which seriously increases security.
In this example, I will be using cloudformation as the deployment tool.
AWSTemplateFormatVersion: 2010-09-09 Resources: GithubOIDC: Type: AWS::IAM::OIDCProvider Properties: Url: https://token.actions.githubusercontent.com ThumbprintList: - 6938fd4d98bab03faadb97b34396831e3780aea1 ClientIdList: - sts.amazonaws.com DeployCloudformationManagedPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: DeployCloudformationManagedPolicy PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowToManageCloudformation Effect: Allow Resource: "*" Action: - "cloudformation:*" - "iam:*" DeployLambdaCode: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowLambda Effect: Allow Resource: "*" Action: - "s3:*" - "lambda:*" repoMetatronCvm: Type: AWS::IAM::Role Properties: RoleName: github-actions-metatron-cvm AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !Ref GithubOIDC Condition: StringEquals: token.actions.githubusercontent.com:aud: sts.amazonaws.com token.actions.githubusercontent.com:sub: - repo:metatron-code/metatron-cvm:ref:refs/heads/main Path: "/" ManagedPolicyArns: - !Ref DeployCloudformationManagedPolicy - !Ref DeployLambdaCode
And actually, to log in to the workflow, we add two points:
- in permissions add
- step with authorization
name: Deploy on: workflow_dispatch jobs: deploy: runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' permissions: id-token: write contents: read steps: - name: Checkout uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: go-version: '1.20' - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v2 with: aws-region: eu-west-1 role-to-assume: arn:aws:iam::<your account id>:role/github-actions-metatron-cvm - name: Deploy run: make deploy