Skip to content

Instantly share code, notes, and snippets.

@sakopov

sakopov/OIDC_for_Github.md

Last active September 3, 2024 09:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sakopov/a66ef55f9713649e7d7b9b4a91d64be2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sakopov/a66ef55f9713649e7d7b9b4a91d64be2 to your computer and use it in GitHub Desktop.
Download ZIP
OIDC for Github and AWS
Raw
OIDC_for_Github.md

Some rough cloudformation to add OIDC support for Github in AWS.

  1. Create new identity provider for Github. (1b511abead59c6ce207077c0bf0e0043b1382612 is the known thumbprint for Github).

Note, you can discover current thumbprint using openssl.

 $ openssl s_client -servername token.actions.githubusercontent.com -showcerts -connect token.actions.githubusercontent.com:443 <    /dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sed "0,/-END CERTIFICATE-/d" > certificate.crt
 $ openssl x509 -in certificate.crt -fingerprint -noout | cut -f2 -d'=' | tr -d ':' | tr '[:upper:]' '[:lower:]'
 1b511abead59c6ce207077c0bf0e0043b1382612
GitHubIdentityProvider:
   Type: AWS::IAM::OIDCProvider
   Properties:
     Url: https://token.actions.githubusercontent.com
     ThumbprintList: 
       - 1b511abead59c6ce207077c0bf0e0043b1382612 
     ClientIdList: 
       - sts.amazonaws.com
  1. Create IAM role which you will impersonate in Github actions. This role should have adequate permissions to do whatever you wanna do via Github actions. You can use ManagedPolicyArns to specify a custom managed policy (or, alternatively, use AWS managed policies) defining those permissions. Make sure to use your account ID instead of 1s.
GitHubActionsServiceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: RoleForGitHubActions
            Effect: Allow
            Principal:
              Federated: arn:aws:iam::111111111111:oidc-provider/token.actions.githubusercontent.com
            Action:
              - sts:AssumeRoleWithWebIdentity
            Condition:
              StringEquals:
                "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
              StringLike:
                "token.actions.githubusercontent.com:sub": "repo:{YOUR_GITHUB_ORG}/{YOUR_GITHUB_REPO_OR_WILDCARD_FOR_ALL}"
      Description: Service Role for use in GitHub Actions
      ManagedPolicyArns: 
        - !Ref ManagedPolicyARN
      RoleName: GithubActionsRole
  1. Throw these into a template and get them deployed.
  2. The only thing left is to modify your Github workflow to request AWS credentials using the above role ARN. You must define id-token permission in the workflow. And once again, replace 1s with your actual AWS account number and specify the region.
   jobs:
     deploy:
       permissions:
         id-token: write

       steps:
         - name: Configure AWS Credentials
           uses: aws-actions/configure-aws-credentials@v3
           with:
             role-to-assume: arn:aws:iam::111111111111:role/GithubActionsRole
             role-session-name: YOUR_SESSION_NAME
             aws-region: YOUR_REGION
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment