cmdaltent/gha-oidc-test

Testing out GitHub OpenID Connect w/ Amazon AWS

We simply follow the official instructions.

This solution does not require any (long-lived) secrets being stored in GitHub. If only, the arn of the role to be assumed can be stored as GitHub secrets, which prevents the AWS account id from being publicly accessible in the repository.

Accessing AWS

As a minimal working example, we

• created the GitHub OIDC provider in AWS
• created a role
• connected the role to the GitHub OIDC provider
• gave the role permission to access the Parameter Store of the AWS Systems Manager via the AmazonSSMReadOnlyAccess policy
• created a parameter HelloWorld in the AWS Systems Manager Parameter Store, which will be read in the workflow
• granted the entire repository (repo:cmdaltent/gha-oidc-test:*) permission to access AWS via the OpenID Connect and the created role

Lessons Learnt

If a repository as a whole is supposed to be granted access, the following condition for the trust relationship between OIDC provider and AWS role does not work:

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:sub": "repo:cmdaltent/gha-oidc-test:*"
  }
}

Instead, The StringLike comparator worked for us:

"Condition": {
  "StringLike": {
    "token.actions.githubusercontent.com:sub": "repo:cmdaltent/gha-oidc-test:*"
  }
}