OIDC (OpenID Connect) can be used within GitHub workflows to authenticate with Amazon Web Services. This eliminates the need to store AWS credentials as long-lived GitHub secrets.
This CDK stack enables OpenID Connect in Amazon Web Services. It only needs to be deployed once per AWS account and can be accessed by one or more GitHub repositories. Restrictions can be put in place based on a specific repo, event, branch, or tag. Please refer to GitHub documentation on Configuring OpenID Connect in Amazon Web Services for further information.
A single AWS role is created as part of this stack. The role arn is provided as an output of this cdk and will be displayed post deployment. This should be referenced within GitHub workflows (i.e. in your application stack) to manage deployment. The role policy should specify which AWS resources GitHub actions has access to.
- An AWS account
- A role policy which specifies the level of access GitHub actions has on AWS (referencing existing AWS managed policy is allowed)
- A GitHub repo with predetermined access restrictions (i.e. with reference matching a specific branch, event or tag)
It is important to prevent untrusted workflows or repositories from requesting access token to AWS resources. Please refer to GitHub documentation on security hardening with OpenID Connect for further information.
This cdk stack can be deployed by running the following:
cdk deploy --profile <profile-name> --GithubRepo=<github-repo> --EnvName=<environment-name>
where
<profile-name>references the named profile for the AWS CLI<github-repo>references the GitHub repository that should be granted access to oidc<environment-name>references to the application environment of your deployment
This is used as part of the role creation name (e.g.arn:aws:iam::123456789:role/<environment-name>Oidc) and is mostly useful in identifying which account the role belongs to in a multi account setup.
for example:
cdk deploy --profile=li-geostore-ci --parameters=EnvName="Ci" --parameters=GithubRepo="linz/geostore:*"