Multi Environment OIDC.md

Für github-dev-role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::YOUR-ACCOUNT-ID:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:your-org/your-repo:environment:dev"
        }
      }
    }
  ]
}

Für github-prod-role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::YOUR-ACCOUNT-ID:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:your-org/your-repo:environment:prod"
        }
      }
    }
  ]
}

GitHub Actions Workflow: In deinem Workflow kannst du dann je nach Bedarf die entsprechende Rolle assumen:

name: Deploy
on: [push]
jobs:
  deploy-dev:
    environment: dev
    permissions:
      id-token: write
    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::YOUR-ACCOUNT-ID:role/github-dev-role
          aws-region: eu-central-1

  deploy-prod:
    environment: prod
    permissions:
      id-token: write
    steps:
      - uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::YOUR-ACCOUNT-ID:role/github-prod-role
          aws-region: eu-central-1

BernhardRode/Multi Environment OIDC.md

Select an option

No results found

Select an option

No results found