Listen to this Post
When accessing AWS accounts using GitHub Actions, temporary credentials are important. Many teams generate permanent access keys and use these to allow GitHub to perform operations in AWS but these keys could be used by anyone else if they were able to obtain them.
A better approach is to use OpenID Connect (OIDC) and temporary access tokens. With this approach GitHub will get generated and short-living tokens to perform operations and AWS can validate where the request to get the credentials comes from and can revoke access if needed.
You Should Know:
1. Configure AWS IAM OIDC Provider
aws iam create-open-id-connect-provider \ --url https://token.actions.githubusercontent.com \ --client-id-list sts.amazonaws.com \ --thumbprint-list 6938fd4d98bab03faadb97b34396831e3780aea1
2. Create IAM Role for GitHub Actions
resource "aws_iam_role" "github_actions" {
name = "GitHubActionsRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Federated = "arn:aws:iam::ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
}
StringLike = {
"token.actions.githubusercontent.com:sub" = "repo:your-org/your-repo:"
}
}
}
]
})
}
3. Attach Policies to the Role
resource "aws_iam_role_policy_attachment" "github_actions" {
role = aws_iam_role.github_actions.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
4. Configure GitHub Actions Workflow
name: AWS Deployment on: [bash] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - uses: aws-actions/configure-aws-credentials@v1 with: role-to-assume: arn:aws:iam::ACCOUNT_ID:role/GitHubActionsRole aws-region: us-east-1 - run: aws s3 ls
5. Verify the Setup
aws sts get-caller-identity aws iam list-roles --query 'Roles[?RoleName==<code>GitHubActionsRole</code>]'
6. Rotate Credentials Automatically
GitHub Actions will automatically request new credentials when needed, with tokens typically expiring after 1 hour.
7. Audit Trail
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRoleWithWebIdentity
What Undercode Say:
Implementing OIDC for GitHub Actions and AWS provides significant security advantages over static credentials. The temporary nature of the tokens reduces the attack surface, while the direct integration between GitHub and AWS allows for fine-grained access control. This approach follows the principle of least privilege and enables better audit capabilities through CloudTrail. The Terraform implementation shown here ensures your infrastructure is defined as code and can be version controlled alongside your application code.
For production environments, consider:
- Adding conditions for specific branches
- Implementing session tagging
- Setting up permission boundaries
- Regularly reviewing access patterns
The complete solution combines AWS IAM, GitHub Actions, and Terraform to create a secure, automated pipeline that maintains security while enabling continuous deployment.
Expected Output:
{
"UserId": "AROAEXAMPLE:github-actions",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/GitHubActionsRole/github-actions"
}
Reference: Setting OIDC for GitHub Actions Workflows with AWS Using Terraform
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
