Setting up GitHub Actions to have access to your AWS account
GitHub Actions is the best CI/CD provider I’ve used so far. It is extremely flexible, and has really quickly caught up in terms of feature set with CI providers that existed for years before Actions was launched.
One of its great features is being able to set up OIDC AWS access, without having to manually create credentials and risk them leaking.
GitHub has documentation on this here, but since I always have trouble setting it up, here is a quick recap to help future me:
1. Add Identity Provider
You can do this either in the AWS console:
- Go to IAM → Identity Providers
- Click Add Provider, choose OpenID Connect
- Enter Provider URL:
https://token.actions.githubusercontent.com
and click Get thumbprint. - Add audience
sts.amazonaws.com
and save.
Or using a CloudFormation template:
GithubOidc:
Type: AWS::IAM::OIDCProvider
Condition: CreateOIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- 6938fd4d98bab03faadb97b34396831e3780aea1
( link here to launch this in the CloudFormation console)