Authenticate GITHUB actions to AWS using Identity Providers

Satish Kumar

3 min readFeb 13, 2023

Hey geeks!! Welcome Back :)

No need to add access and secret key in GITHUB secrets to run the CI/CD pipelines from GITHUB to AWS 🤫

Why AWS Identity Providers?????? 🤔

Attack! Attack ! Attack! 🧟🧟‍♂️

Tired with cyber attacks??
Most of the attacks occurs when your secrets(Passwords) are exposed/compromised Lol.

Below are the steps to authenticate your GITHUB to AWS for running the CI/CD pipelines:

Prerequisites:

AWS Account

Free Cloud Computing Services - AWS Free Tier

Gain free, hands-on experience with the AWS platform, products, and services Startups may be eligible for AWS credits…

aws.amazon.com

GITHUB Account with REPO

Signing up for a new GitHub account - GitHub Docs

You can create a personal account, which serves as your identity on GitHub.com, or an organization, which allows…

docs.github.com

We will test only authentication using this demo

# Create an identity provider in AWS IAM as below:

Click on Identity providers under IAM > Access Management.

2. Click on Add Provider

3. Under configure provider select “OpenID Connect”

4. Under “Provider URL” add the below URL and click on “Add Thubmprint”
“https://token.actions.githubusercontent.com”

5. Under “Audience” add “sts.amazonaws.com”

6. Now create a policy with necessary permissions.

Note: Create a least privileged policy with only required services(Dont attach “Administartor access” permissions).

Creating IAM policies (console)

A policy is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS…

docs.aws.amazon.com

7. Create a role and attach the policy that we created in step 6.

8. Attach below trustrelationship policy to the role that we created in step 7.

# Replace the values with your AWS account ID, GITHUB Name/Repo name.

{
 "Version": "2012–10–17",
 "Statement": [
 {
 "Effect": "Allow",
 "Principal": {
 "Federated": "arn:aws:iam::<YOUR ACCOUNT ID>:oidc-provider/token.actions.githubusercontent.com"
 },
 "Action": "sts:AssumeRoleWithWebIdentity",
 "Condition": {
 "StringLike": {
 "token.actions.githubusercontent.com:sub": "repo:<Your GITHUB NAME>/<YOUR REPO>:*"
 },
 "ForAllValues:StringEquals": {
 "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
 "token.actions.githubusercontent.com:iss": "https://token.actions.githubusercontent.com"
 }
 }
 }
 ]
}

9. If we have to give access to all repo’s in your GITHUB then add the below:
“token.actions.githubusercontent.com:sub”: “repo:<Your GITHUB NAME>/*:*”

10. Create a workflow in GITHUB actions and add the below yaml:

# Replace the values with your AWS account ID and role name that we created in step 7.

name: CD
'on':
  workflow_dispatch: null
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      
    steps:
      - uses: actions/checkout@v2
  
      - name: Connecting GitHub Actions To AWS Using OIDC - Roles
        uses: aws-actions/configure-aws-credentials@master
        with:
         role-to-assume: arn:aws:iam::<YOUR ACCOUNT ID>:role/<YOUR ROLE NAME>
         role-session-name: github-actions-session
         aws-region: us-east-1
      - run: aws sts get-caller-identity

Thats it!!!! Now test the authentication by running the workflow.

For Authenticating GITHUB actions to GCP using Workload Identity Federation, please check the below:

Authenticate GITHUB actions to GCP using Workload Identity Federation

Hey geeks!! You know what!!!!

medium.com

Cheers :)

Thanks for Reading !!!!

Follow for more updates :)