By using AWS re:Post, you agree to the AWS re:Post Terms of Use

What is the best IAM setup for github ( github actions ) for CI/CD?

0

How would I set up github actions (CI/CD) to access AWS ? (best or recommended secure approach) ?

Technical areas of expertise

  • IAM
  • CI/CD with github actions (access an AWS account

I would like to know if there is any documentation that I can access on how to properly set up, or the recommended way to setup Github actions so that it can access my AWS account.

Should I set up a user with a generated keypair (.pem or ssh key pair)

or should I set up a role and apply a policy to a role and some how have github actions assume that role?


What is the best recommended approach for a system like github (github CI/CD actions), accessing AWS resources like pushing a Docker image to AWS ECR?

For my CI/CD, the only thing I need to do is to push a Docker container to AWS ECR and then test via Python HTTP GET / POST some API endpoints to make sure deployment of the container was successfully started

4 Answers
0

The following blog is in Japanese but is set up by creating an IAM role.
https://dev.classmethod.jp/articles/github-actions-aws-sts-credentials-iamrole/
Basically, if you need access to AWS resources, it is better to use temporary credentials (e.g., IAM roles).

profile picture
EXPERT
answered 2 years ago
  • Thank you very much. I cannot read Japanese, but will see if Google translate can translate the page. It refers to OIDC which I have seen before but know little about. I will search on that as well.

0

Hi DevLocalCA,

I would look into this guide: https://aws.amazon.com/blogs/containers/create-a-ci-cd-pipeline-for-amazon-ecs-with-github-actions-and-aws-codebuild-tests/.

It uses GitHub as a source code repository can use GitHub Actions to build a complete CI/CD pipeline for applications deployed on Amazon ECS, leveraging github actions such as github.com/aws-actions/configure-aws-credentials and github.com/aws-actions/amazon-ecr-login.

Hope it helps you ;)

profile picture
EXPERT
answered 2 years ago
0

I've created two GH repos to support this and a related blog post linked in the second repo.

The first repo has the CloudFormation to deploy an OIDC IAM Role and IDP Pair to support authentication. https://github.com/rwickit/aws-github-cicd

The second has the blog and Action examples to support deployment of AWS resources using Actions in both CloudFormation and Terraform. https://github.com/rosswickman/aws-automation-workflows

profile picture
answered 2 years ago
0

I recently created a youtube video (on channel: learn4tarakki), talking about best practice of setting up github actions to access AWS. We setup github actions with github OIDC Provider and added Github Indentity Provider in AWS and created assume role in AWS with trust and permission policy.

Key take aways and Queries, it answers: ☛ What is github actions and how to create from scratch. ☛ How to write github actions workflow to deploy react app on AWS. ☛ What is recommended way by which github actions should access AWS. ☛ How to avoid storing long lived AWS credentials in github secrets. ☛ Why we need github OIDC Provider (#oidc). ☛ How to add new Identity Provider in AWS. ☛ What is AWS assume role, trust and permission policy and how to create one in simple steps. ☛ Also, include latest update by github on June 2023 for configuring thumbprints for Identity Provider in AWS.

https://www.youtube.com/watch?v=3Czf9vzZ0jI

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions