Skip to content

AWS OIDC provider deployment for GitHub Actions integration

License

Notifications You must be signed in to change notification settings

linz/oidc-provider

Repository files navigation

OIDC Provider

GitHub Actions Status Kodiak Dependabot Status License Conventional Commits Code Style Imports: isort Checked with mypy Code Style: prettier

OIDC (OpenID Connect) can be used within GitHub workflows to authenticate with Amazon Web Services. This eliminates the need to store AWS credentials as long-lived GitHub secrets.

This CDK stack enables OpenID Connect in Amazon Web Services. It only needs to be deployed once per AWS account and can be accessed by one or more GitHub repositories. Restrictions can be put in place based on a specific repo, event, branch, or tag. Please refer to GitHub documentation on Configuring OpenID Connect in Amazon Web Services for further information.

A single AWS role is created as part of this stack. The role arn is provided as an output of this cdk and will be displayed post deployment. This should be referenced within GitHub workflows (i.e. in your application stack) to manage deployment. The role policy should specify which AWS resources GitHub actions has access to.

Prerequisites

  • An AWS account
  • A role policy which specifies the level of access GitHub actions has on AWS (referencing existing AWS managed policy is allowed)
  • A GitHub repo with predetermined access restrictions (i.e. with reference matching a specific branch, event or tag)

It is important to prevent untrusted workflows or repositories from requesting access token to AWS resources. Please refer to GitHub documentation on security hardening with OpenID Connect for further information.

How to Deploy

This cdk stack can be deployed by running the following:
cdk deploy --profile <profile-name> --GithubRepo=<github-repo> --EnvName=<environment-name>

where

  • <profile-name> references the named profile for the AWS CLI
  • <github-repo> references the GitHub repository that should be granted access to oidc
  • <environment-name> references to the application environment of your deployment
    This is used as part of the role creation name (e.g. arn:aws:iam::123456789:role/<environment-name>Oidc) and is mostly useful in identifying which account the role belongs to in a multi account setup.

for example:
cdk deploy --profile=li-geostore-ci --parameters=EnvName="Ci" --parameters=GithubRepo="linz/geostore:*"

About

AWS OIDC provider deployment for GitHub Actions integration

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •