This AWS Cloud Developer Kit (CDK) stack provides the necessary credentials to enable OIDC Authentication integration for Github Actions access to an AWS account. It allows the user to integrate Github Actions workflows with an AWS account without having to save AWS Credentials in their Github Secrets.
- Deploys an AWS Identity and Access Management role with OIDC authorization scoped specifically for Github OIDC access.
- Outputs the ARN of the role to be used in Github environment
The aws-cli must be installed -and- configured with an AWS account on the deployment machine (see https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html for instructions on how to do this on your preferred development platform).
This project requires Node.js. To make sure you have it available on your machine, try running the following command.
node -vFor best experience we recommend installing CDK globally: npm install -g aws-cdk
git clone #insert-http-or-ssh-for-this-repositoryConfigure your AWS credentials:
aws configure
For more on setting up your AWS Credentials please visit setting up your aws credentials
- Navigate to CDK Directory
- Set up your emissions factor document (see Set up your emissions factor document below)
- Copy
cdk.context.template.jsonor remove .template - Enter your parameters in
cdk.context.json(see Context Parameters below)
Before deployment navigate to cdk.context.json and update the required context parameters.
- Required:
repoOwnerThe owner of the Github repository. This can be found in the url of your Github repository - Required:
repoNameThe name of the repository - Required:
repoBranchThe branch to allow for deployment (default is/main)
At this point you should have already saved your AWS credentials to environmental variables using aws configure or a similar command. The bootstrap step sets up several dependencies for CDK that will allow you to create resources using the CDK command line interface. Please also note that you will need a generally permissive IAM role to bootstrap CDK. This can be done using an AWS managed developer role, but we strongly recommend consulting your security practices to ensure that you adhere to least privilege.
cdk bootstrap # if you are authenticated with aws configureor
cdk bootstrap aws://ACCOUNT-NUMBER/REGION # if you are bootstrapping a different accountInstall dependencies
npm ciBuild your node application and environment
npm run buildSynthesize the CDK application
cdk synth✅ Recommended: deploy for local development
cdk deploy --allNow that your OIDC role is set up and running in your accounts follow the linked directions to integrate with an existing Github Actions Workflow.
Configuring OpenID Connect in Amazon Web Services
...or follow the AWS Security Blog post below
[Use IAM roles to connect GitHub Actions to actions in AWS] (https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/)
You are responsible for the cost of the AWS services used while running this application. There is no additional cost for the kit.
The AWS CDK stacks for this kit include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.
Tip: After you deploy the application, create AWS Cost and Usage Reports to track costs associated with the application. These reports deliver billing metrics to an S3 bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?
This sample doesn’t require any software license or AWS Marketplace subscription.
See CONTRIBUTING for more information.
npm run buildcompile typescript to jsnpm run watchwatch for changes and compilenpm run testperform the jest unit testscdk deploydeploy this stack to your default AWS account/regioncdk diffcompare deployed stack with current statecdk synthemits the synthesized CloudFormation template