3. Create IAM role for Github Actions (OIDC)

I will use OIDC authentication instead of using access key. This is recommended way for security and I want to get used to OAuth.

Github Actions will use this role.

Create identity provider

I need to register identity provider to use OIDC authentication.

Provider URL: https://token.actions.githubusercontent.com
Audience: sts.amazonaws.com

Create a role

Selcet trusted entity

Select web identity, identity provider, audience as I made before.

Input my github path because I didn't use an organization.

Add permissions

I added AmazonS3FullAccess and AWSCodeDeployFullAccess managed policy.

Github Actions will use S3 for downloading config and uploading an artifact. It will also run CodeDeploy cli command at the end of the workflow.

Name

I named it "GithubActionRole-marcel1315".

Save the role arn in github secrets

A role arn is in role summary section in console. It starts with "arn:aws:iam::".

Copy it and save it in github secrets. I named it AWS_ASSUME_ROLE_ARN.

Check the workflow config file again

Below config in the workflow is to get AWS credentials using OIDC.

I set role duration to 1800 seconds. It should be longer than build time.

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: ap-northeast-2
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          role-duration-seconds: 1800

Previous2. Create S3 bucket Next4. Configure EC2 (editing)

Last updated 1 year ago

hashtagCreate identity provider

hashtagCreate a role

hashtagSelcet trusted entity

hashtagAdd permissions

hashtagName

hashtagSave the role arn in github secrets

hashtagCheck the workflow config file again