Leveraging OIDC for Secure GitHub Actions Workflows
In the realm of modern software development, Continuous Integration/Continuous Deployment (CI/CD) strategies play a crucial role in enabling rapid and reliable software delivery. However, the traditional approach of using static credentials for CI/CD automation introduces significant security risks, including the potential for credential leakage. To address these concerns, OpenID Connect (OIDC) offers a more secure and efficient method for authenticating GitHub Actions with AWS services, eliminating the need for long-lived static credentials.
What is OIDC?
OpenID Connect (OIDC) is an authentication protocol built on top of OAuth 2.0 that allows clients to verify the identity of the end-user and to obtain basic profile information. OIDC extends OAuth 2.0 with ID tokens, which are JSON Web Tokens (JWT) that provide more security and efficiency in automating deployments, especially in CI/CD workflows.
Setting Up OIDC with GitHub Actions and AWS
Step 1: Create an OIDC Identity Provider in AWS
To begin, access the IAM service in your AWS Management Console:
- Navigate to IAM → Identity Providers and click Add Provider.
- Select OpenID Connect as the provider type.
- Set the Provider URL to
https://token.actions.githubusercontent.com
. - For the Audience, enter
sts.amazonaws.com
. - Confirm and create the identity provider.
Step 2: Create an IAM Role for GitHub Actions
Next, create a new IAM role that GitHub Actions will assume via OIDC:
- Within the IAM dashboard, go to Roles and click Create Role.
- Choose Web identity for the type of trusted entity and select the GitHub OIDC provider you just created.
- Attach policies that grant permissions to perform actions in AWS, such as accessing S3 buckets.
- Configure the trust relationship with the following policy, replacing
<account-id>
,<github-org>
, and<repo-name>
with your AWS account ID and GitHub repository details:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<github-org>/<repo-name>:*"
}
}
}
]
}
Step 3: Configure GitHub Actions Workflow
To integrate this into your GitHub Actions workflow, set up the following in your repository’s .github/workflows/deploy.yml
file:
name: Deploy to AWS S3
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::<account-id>:role/<role-name>
role-session-name: GitHubActions
- name: Deploy to S3
run: aws s3 sync . s3://<your-s3-bucket> --exclude '.git/*'
Benefits of Using OIDC for GitHub Actions with AWS
- No Need to Manage Static Credentials: Utilizing OIDC removes the need to store and manage static AWS credentials, reducing the risk of security breaches.
- Simplified Permission Management: Permissions are granted directly through the role associated with each GitHub repository, allowing fine-grained access control.
- Automated Rotation of Credentials: AWS automatically manages the lifecycle of the temporary credentials generated for each session, ensuring they are always secure and up-to-date.
Conclusion
Implementing OIDC for GitHub Actions with AWS not only strengthens the security posture of your CI/CD workflows but also simplifies the management and automation of deployments. By leveraging the built-in capabilities of AWS and GitHub, developers can focus more on building quality software and less on managing infrastructure. I encourage you to adopt OIDC in your workflows to enhance both security and efficiency in your development processes.