IAM Role that can be assumed by GitHub workflows
Project description
GitHub IAM Role
An AWS CDK construct which defines an IAM Role that can be assumed by a GitHub Workflow.
Usage
GitHub OIDC Provider
In order to define the IAM Role, you'll first need to create an OIDC provider for GitHub in your account.
These are the settings for the GitHub OIDC provider. You can create the provider
through the AWS IAM console or using the GitHubOidcProvider construct as
demonstrated below:
Settings:
- URL:
https://token.actions.githubusercontent.com - Client IDs:
sigstore - Thumbprints:
a031c46782e6e6c662c2c87c76da9aa62ccabd8e
Or via CDK:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from cdk_github_role import GitHubOidcProvider
from aws_cdk.core import App, Stack
app = App()
stack = Stack(app, "GitHubOidcProviderStack")
GitHubOidcProvider(stack, "GitHubOidcProvider")
app.synth()
IAM Roles for Repositories
Then, you can create an IAM role that grants a specific GitHub repository
certain permissions in the account. Use GitHubOidcProvider.forAccount() to
obtain a reference to the singleton provider.
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from cdk_github_role import GithubRole
# must exist in advance.
provider = GitHubOidcProvider.for_account()
bar_role = GitHubRole(self, "GitHubFooBarRole",
provider=provider,
repository="foo/bar",
role_name="FooBarGitHubRole"
)
goo_role = GitHubRole(self, "GitHubFooGooRole",
provider=provider,
repository="foo/goo",
role_name="GitHubFooGooRole"
)
# now we can grant it permissions. for example:
bucket.grant_read(bar_role)
bucket.grant_write(goo_role)
To assume this role from a GitHub Workflow, add the aws-actions/configure-aws-credentials GitHub action step to your workflow:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@9aaa1daa91b40ce855e24cd45fb39b2ca18aeaf1
with:
aws-region: us-east-2
role-to-assume: arn:aws:iam::123456789100:role/FooBarGitHubRole
role-session-name: MySessionName
This step will obtain temporary credentials for this role in your AWS account.
Security
See Security Issues for more information.
License
This project is licensed under the Apache-2.0 License.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cdk-github-role-0.0.2.tar.gz.
File metadata
- Download URL: cdk-github-role-0.0.2.tar.gz
- Upload date:
- Size: 33.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e8e469c2574e7fa75d62533f411a1a98ee9cbab93b50679e9ee89621c5d56a89
|
|
| MD5 |
a0b8dc26450e0bee935c01a21163ecae
|
|
| BLAKE2b-256 |
8f30922b805a3760ceee85a07bb7d77378a5ec6d26efb08384278196cde3f283
|
File details
Details for the file cdk_github_role-0.0.2-py3-none-any.whl.
File metadata
- Download URL: cdk_github_role-0.0.2-py3-none-any.whl
- Upload date:
- Size: 32.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.2 importlib_metadata/4.8.1 pkginfo/1.7.1 requests/2.26.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.7.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
747b52b8d45f68b2dc7d1e01c3abf53f69ac7c45be75323b9aa4d19e2c9281ff
|
|
| MD5 |
2e79985672f637eda0474ba4e7239877
|
|
| BLAKE2b-256 |
d6b0f80006602edcc1d2b043ce96dc6274d4e56133cb819f2d8915d765535038
|
