CAUTION!! GitHub does not announce ID token for GitHub Actions as GA. Please don't use this feature in production. Breaking changes could be introduced at any moment.
Test out AssumeRoleWithWebIdentity using ID token issued by GitHub OIDC provider. All AWS resources are deployed using Terraform.
- tfenv
- AWS account
Prepare for your Terraform variable file.
cp terraform.tfvars .terraform.tfvars
Replace YOUR_AWS_ACCOUNT_ID
in .terrraform.tfvars
and .github/workflows/main.yml
with your AWS account ID.
Also, replace client_id_list
with your repository URL.
tfenv install
Deploy IAM identity provider and assumed IAM role called GitHubActions
with the command below.
terraform init -var-file .terraform.tfvars
terraform plan -var-file .terraform.tfvars
terraform apply -var-file .terraform.tfvars
Trigger your GitHub Actions manually. They you can find assumed IAM role information with aws sts get-caller-identity
.
This is inspired by the following materials.