Logo AppDev24 Login / Sign Up
Sign Up
Have Login?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Login
New Account?
Recovery
Go to Login
Google icon Login or Sign Up with Google Facebook icon Login or Sign Up with Facebook Twitter icon Login or Sign Up with Twitter
By continuing you indicate that you agree to Terms of Service and Privacy Policy of the site.
DevOps

Simplifying AWS Access in GitHub Actions with OIDC Provider

Saurav Mitra
Updated on Jul 22, 2024

Managing AWS access keys for GitHub Actions can be a challenge, especially when ensuring security and ease of access. Traditionally, AWS IAM user access keys have been used to grant GitHub Actions the permissions needed to interact with AWS resources. However, there is a more secure and manageable way: using OpenID Connect (OIDC) identity providers to obtain temporary AWS credentials.

 In this blog post, we'll explore how to set up AWS OIDC for Github to access AWS resources without needing long-term IAM user access keys.

Why Use OIDC with GitHub Actions?

Using OIDC with GitHub Actions offers several benefits:

  1. Enhanced Security: By eliminating the need for long-term AWS access keys, you reduce the risk of credential leakage.
  2. Ease of Management: Short-term credentials simplify credential rotation and management.
  3. Scoped Access: You can tightly scope the permissions granted to specific repositories, reducing the risk of over-privileged access.

Below are some common use cases where integrating GitHub Actions with AWS OIDC enhances security for various AWS operations:

-  Access to AWS Self-Hosted Runners.
-  Access to specific AWS resources (EC2, S3, RDS) securely
-  For Infrastructure as Code (IaC) tasks with Terraform, GitHub Actions can assume a
    role with the necessary permissions to provision and manage AWS resources.
-  Secure access to S3 and DynamoDB for Terraform state file and state locking.
-  Access to push docker container images to ECR securely.
-  Access to interact with Kubernetes API for deploying applications to specific EKS       
    cluster.

Create an OIDC Provider in AWS

First, we need to configure AWS to trust GitHub's OIDC provider

  • Navigate to the AWS IAM Console. Go to the "Identity providers" section and click "Add provider".

Using Terraform to create OIDC Provider:

resource "aws_iam_openid_connect_provider" "github" {
  url             = "https://token.actions.githubusercontent.com"
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"]
}

Create an IAM Role

Next, we will create an IAM role that GitHub Actions can assume. We will scope the Trust Relationship Policy by limiting it to a specific GitHub organization, repository, or branch that can assume the role associated with the IAM IdP.

Trust Relationships

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
                    "token.actions.githubusercontent.com:sub": "repo:sarubhai/test-aws-oidc:ref:refs/heads/main"
                }
            }
        }
    ]
}

Github_OIDC_Basic_Permission

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:List*"
			],
			"Resource": "*"
		}
	]
}

Using Terraform to create IAM Role:

data "aws_iam_policy_document" "github_actions_trust_policy" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [aws_iam_openid_connect_provider.github.arn]
    }

    condition {
      test     = "StringEquals"
      variable = "token.actions.githubusercontent.com:aud"
      values   = ["sts.amazonaws.com"]
    }

    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values   = ["repo:sarubhai/github-aws-oidc:*"]
    }
  }
}

resource "aws_iam_role" "github_actions_role" {
  name               = "github-actions-role"
  assume_role_policy = data.aws_iam_policy_document.github_actions_trust_policy.json
  managed_policy_arns = [aws_iam_policy.github_actions_policy.arn]
}

resource "aws_iam_policy" "github_actions_policy" {
  name = "github-actions-policy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = ["s3:List*"]
        Resource = "*"
      },
    ]
  })
}

Create a Github Action

Let us first add two Github Secrets namely AWS_REGION & AWS_ROLE_TO_ASSUME 

.github/workflows/devops.yml

name: DevOps
on:
  # workflow_dispatch:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read
      
jobs:
  devops-automation:
    runs-on: ubuntu-latest
    steps:

      - name: Checkout local repo
        uses: actions/checkout@v3
    
      - name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v3
        with:
          role-to-assume: $\{\{ secrets.AWS_ROLE_TO_ASSUME }}
          aws-region: $\{\{ secrets.AWS_REGION }}
          disable-retry: "true"
      
      - name: Get STS Caller Identity
        run: aws sts get-caller-identity

      - name: List S3 Buckets
        run: aws s3 ls

One of the key benefits of using OIDC with GitHub Actions is the ability to manage access across multiple repositories efficiently. Each repository can assume a different IAM role tailored to its specific needs, enhancing security and reducing the risk of over-privileged access.

  • For each GitHub repository, create a distinct IAM role.
  • Customize the trust policy for each role to include the specific repository.
  • Attach specific permissions to each role based on the requirements of the repository. For instance, one role might need access to S3 and DynamoDB, while another might require permissions for ECR and EKS.
  • In each repository, add a secret named AWS_ROLE_TO_ASSUME containing the ARN of the IAM role assigned to that repository.

By following this approach, you ensure that each repository has the least privilege necessary to perform its tasks, enhancing the overall security of your AWS resources.

In this post, we've walked through creating an OIDC provider, setting up an IAM role with a scoped trust policy, and configuring a GitHub Actions workflow to assume the role and interact with AWS. With these steps, you can eliminate the need for long-term IAM user access keys, making your CI/CD pipelines more secure and manageable.

PrimeChess

PrimeChess.org

PrimeChess.org makes elite chess training accessible and affordable for everyone. For the past 6 years, we have offered free chess camps for kids in Singapore and India, and during that time, we also observed many average-rated coaches charging far too much for their services.

To change that, we assembled a team of top-rated coaches including International Masters (IM) or coaches with multiple IM or GM norms, to provide online classes starting from $50 per month (8 classes each month + 4 tournaments)

This affordability is only possible if we get more students. This is why it will be very helpful if you could please pass-on this message to others.

Exclucively For Indian Residents: 
Basic - ₹1500
Intermediate- ₹2000
Advanced - ₹2500

Top 10 Articles

Setup Kubernetes Persistent Volumes on Docker Desktop

Iceberg Data Lake on Amazon S3 with AWS Glue Catalog

Setup MinIO Object Storage on Kubernetes

Kafka Connect Debezium Source to AWS S3 Sink

Setup MLflow on Kubernetes

Setup a Private Container Registry

Kubernetes Dashboard with Docker Desktop

Kafka Connect to AWS S3 Sink

Change Data Capture from Oracle to Kafka

Airflow Installation on AWS EC2