<< Creating GitHub OIDC for AWS
Creating GitHub OIDC for AWS (Manually)
This guide walks you through setting up OpenID Connect (OIDC) between GitHub and AWS. We'll use trust relationships and AWS Security Token Service (STS) to generate access based on trust, avoiding direct credential usage.
Prerequisites
- AWS IAM user with console access
- Full permission set for IAM service
Steps
1. Add GitHub as an Identity Provider
- Navigate to the IAM service in the AWS console
- Click on "Identity providers"
- Select "Add provider"
- Choose OpenID Connect
- Provider URL:
https://token.actions.githubusercontent.com
- Audience:
sts.amazonaws.com
2. Create a Role for the GitHub Action
- Go to the IAM dashboard and navigate to "Roles"
- Click "Create role"
- For Trusted entity type, choose "Web identity"
- Complete the Web identity form:
- Identity provider:
token.actions.githubusercontent.com
- Audience:
sts.amazonaws.com
- GitHub organization: Your GitHub username
- GitHub repository: Your repository name
- Optionally, fill in the necessary refs.
- Identity provider:
- Click "Next"
3. Assign Role Permissions
Assign the necessary permissions to your role. Always follow the principle of least privilege when assigning permissions. Allow it to least be able to assume the role and get caller's identity for our demo.
4. Review and Create Role
- Name your role (e.g.,
GithubActionsRole
) - Review permissions and trusted entities
- Click "Create Role"
5. Test the Setup
Create a GitHub action with the following YAML:
name: AWS Credentials Example
on:
push:
branches: [ main ]
permissions:
id-token: write # Required for OIDC
jobs:
check-aws-identity:
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GithubActionsRole
aws-region: us-east-1
- name: Get caller identity
run: |
aws sts get-caller-identity
Replace arn:aws:iam::123456789012:role/GithubActionsRole
with your actual role ARN.
And done! ✅