Hard Coding Your AWS Access Keys in GitLab or GitHub Variables? There’s a Better Way

By /

Listen to this Post

When working with tools like GitHub to interact with your AWS account, storing IAM access keys directly in your GitHub account is a significant security risk. Instead, you can use Open ID Connect (OIDC) to securely manage access.

With OIDC, you create an IAM Role in your AWS account and establish a trust relationship specifically for your GitHub account, repository, or even a branch. When GitHub needs to perform operations in your AWS account, it assumes this IAM Role and obtains temporary credentials. This eliminates the need for hardcoding access keys.

If security issues arise, you can simply delete the role in your AWS account, effectively revoking access. This method also works with other tools that interact with AWS.

Here’s how to set this up:

1. Create an IAM Role in AWS:

  • Navigate to the IAM console.
  • Create a new role with the necessary permissions for your GitHub actions.
  • Add a trust relationship for GitHub as the identity provider.

Example trust policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG>/<REPO_NAME>:ref:refs/heads/<BRANCH_NAME>"
}
}
}
]
}

2. Configure GitHub Actions:

  • In your GitHub repository, go to Settings > Secrets and variables > Actions.
  • Add a new secret for the AWS role ARN.
  • Update your GitHub Actions workflow to use the role.

Example GitHub Actions workflow:

name: AWS Deployment
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- name: Deploy to AWS
run: |
aws s3 sync . s3://your-bucket-name

3. Test and Verify:

  • Push changes to your repository and monitor the GitHub Actions logs to ensure the role is assumed correctly.

What Undercode Say

Using OIDC for AWS access management with GitHub is a game-changer for security and efficiency. By leveraging temporary credentials, you eliminate the risks associated with hardcoding access keys. This approach not only enhances security but also simplifies access revocation.

For Linux and Windows users, integrating AWS CLI commands into your workflows can further streamline operations. For example:

  • Linux: Use `aws sts assume-role-with-web-identity` to test role assumptions.
  • Windows: Leverage PowerShell to automate AWS tasks with `Invoke-RestMethod` for OIDC token retrieval.

Additionally, consider using tools like Terraform to automate IAM role creation and management. For advanced users, explore AWS CloudTrail to monitor and audit role assumptions.

For more details, refer to the AWS Documentation on OIDC and GitHub Actions Documentation.

By adopting these practices, you can ensure a secure and efficient workflow for your cloud operations.

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts: