Tools: Authenticating GitHub Actions to AWS using IAM Roles

✅Prerequisites: ## 🔐Step 1: Create an OpenID Connect Provider in your AWS account ## 🧩Step 2: Create an IAM role ## 🔑Step 3: Assign Permissions to the role ## ⚙️Step 4: Create your GitHub Action ## Replace the following values: ## 📌Summary ## 🛠️Troubleshooting We've all been there: creating AWS access keys for authentication, worrying about keeping them safe, and trying to remember to rotate them periodically. But do we really need to use long-lived access keys for every situation? For GitHub Actions, the answer is no. In this article, you'll learn how to authenticate a GitHub Actions workflow to AWS using IAM roles and OpenID Connect (OIDC). This approach lets you eliminate access keys and avoid manually rotating them. You need the following: An IAM identity provider (IdP) enables AWS to trust identities that originate outside AWS. In this step, you create an OpenID Connect (OIDC) provider that allows GitHub Actions to request temporary AWS credentials. The IAM role defines what GitHub Actions can access in your AWS account. You will also scope the role's trust policy so that only a specific GitHub organisation, repository, and branch can assume the role. For this example, the workflow uploads files to Amazon S3, so the role requires S3 permissions. Name the policy S3-permissions and click Create policy. In this step, we will create a GitHub Actions workflow that will authenticate to AWS and upload a file to S3. Create a file in your repository at .github/workflows/s3-upload.yml You have now configured GitHub Actions to authenticate to AWS using an IAM role and OIDC, eliminating the need for long-lived access keys. If the workflow fails, verify the following: Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject" ], "Resource": "arn:aws:s3:::your-bucket-name/*" } ] } Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject" ], "Resource": "arn:aws:s3:::your-bucket-name/*" } ] } CODE_BLOCK: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject" ], "Resource": "arn:aws:s3:::your-bucket-name/*" } ] } COMMAND_BLOCK: name: Upload File to S3 on: push: branches: [ main ] env: AWS_REGION: us-east-1 #Change to reflect your Region jobs: upload: runs-on: ubuntu-latest # This allows the actions to get temporary credentials permissions: id-token: write contents: read steps: - name: Checkout code uses: actions/checkout@v4 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::YOUR-ACCOUNT-ID:role/YOUR-ROLE-NAME aws-region: ${{ env.AWS_REGION }} - name: Upload files to S3 run: | aws s3 cp ./your-file s3://your-bucket-name/ Enter fullscreen mode Exit fullscreen mode COMMAND_BLOCK: name: Upload File to S3 on: push: branches: [ main ] env: AWS_REGION: us-east-1 #Change to reflect your Region jobs: upload: runs-on: ubuntu-latest # This allows the actions to get temporary credentials permissions: id-token: write contents: read steps: - name: Checkout code uses: actions/checkout@v4 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::YOUR-ACCOUNT-ID:role/YOUR-ROLE-NAME aws-region: ${{ env.AWS_REGION }} - name: Upload files to S3 run: | aws s3 cp ./your-file s3://your-bucket-name/ COMMAND_BLOCK: name: Upload File to S3 on: push: branches: [ main ] env: AWS_REGION: us-east-1 #Change to reflect your Region jobs: upload: runs-on: ubuntu-latest # This allows the actions to get temporary credentials permissions: id-token: write contents: read steps: - name: Checkout code uses: actions/checkout@v4 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::YOUR-ACCOUNT-ID:role/YOUR-ROLE-NAME aws-region: ${{ env.AWS_REGION }} - name: Upload files to S3 run: | aws s3 cp ./your-file s3://your-bucket-name/ - An AWS account with sufficient IAM permissions. - A GitHub repository - Go to the IAM Console - Click Identity Providers in the left navigation menu - Click Add Provider and select OpenID Connect as the provider type - For Provider URL, enter token.actions.githubusercontent.com - For Audience enter: sts.amazonaws.com - Click Add provider to create the Identity Provider - Select the Identity Provider you just created - Click the Assign Role button and choose Create a new role - For the Trusted entity type, Web Identity is already pre-selected, and the Identity provider field is populated with the IdP you just created - In the Audience list, select sts.amazonaws.com - Fill in the GitHub Organisation, Repository, and Branch according to your needs and click Next - For the permissions, we will add them after we have created the role, so click Next - On the Review page, add a role name GitHub-Actions-Role and optionally add a description - Click Create role after reviewing the role details - In the dashboard of the newly created role, select Add permissions → Create inline policy - Change the view from Visual to JSON - Paste the following policy and click Next - YOUR-ACCOUNT-ID with your AWS Account ID - YOUR-ROLE-NAME with the name of the role you created - your-file with the file you want to upload - your-bucket-name with your s3 bucket name - The IAM role has the required permissions. - The GitHub organisation, repository, and branch values in the role trust policy are correct. - The workflow includes the id-token: write permission.