Home About Notes

Configuring OpenID in AWS for Github actions

Feb 06, 2023

To connect to AWS in my github actions I previously had set secrets within the github secrets feature. Using them like this:

env:
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_ID }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}

Today in setting a new deployment I thought I would check the docs to see if there is an updated version of aws-actions/configure-aws-credentials@v1. There was not but there was guidance on that you should not use long lasting secrets like above, but set up an OpenID. 

We recommend using GitHub's OIDC provider to get short-lived credentials needed for your actions. Specifying role-to-assumewithout providing an aws-access-key-id or a web-identity-token-file will signal to the action that you wish to use the OIDC provider.


Following the above documention you can now generate JWT's and use the AWS CLI like so:

- name: Configure AWS credentials & region
  uses: aws-actions/configure-aws-credentials@v1
  with:
    role-to-assume: arn:aws:iam::6492602451:role/github-actions
    aws-region: us-west-2