Skip to content

Commit

Permalink
feat: use oicd to authenticate github actions build
Browse files Browse the repository at this point in the history
  • Loading branch information
@williamh890
williamh890 committed Jun 28, 2024
1 parent 0118dac commit 3fff580
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 13 deletions.
3 changes: 1 addition & 2 deletions .github/workflows/deploy-will.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,4 @@ jobs:
application: ${{ vars.APPLICATION }}
cdn-id: ${{ vars.CDN_ID }}
s3-bucket: ${{ vars.S3_BUCKET }}
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
21 changes: 10 additions & 11 deletions .github/workflows/search-ui-deploy-composite/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,7 @@ inputs:
s3-bucket:
required: true
type: string
aws-access-key-id:
required: true
type: string
aws-secret-access-key:
aws-account-id:
required: true
type: string

Expand All @@ -31,20 +28,22 @@ runs:
with:
node-version: 18

- name: Configure AWS credentials from Test account
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::${{ inputs.account-id }}:role/GitHub_Actions_Role
aws-region: us-east-1
- name: Fetch the caller identity
run: |
aws sts get-caller-identity
- name: Install dependencies
shell: bash
run: |
cp src/app/services/envs/env-${{ inputs.maturity }}.ts src/app/services/env.ts
echo "{\"hash\":\"${{ github.sha }}\"}" > src/assets/commit-hash.json
npm install
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ inputs.aws-access-key-id }}
aws-secret-access-key: ${{ inputs.aws-secret-access-key }}
aws-region: "us-east-1"

- name: Angular Build
shell: bash
run: |
Expand Down
67 changes: 67 additions & 0 deletions build/github-actions-oidc.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
AWSTemplateFormatVersion: 2010-09-09
Description: GitHub OIDC for when GitHub wants to communicate with AWS.
Resources:

# This is the bare-bones role.
GitHubActionsRole:
Type: AWS::IAM::Role
Properties:
RoleName: GitHub_Actions_Role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
Action: sts:AssumeRoleWithWebIdentity
Condition:
StringLike:
## THESE ARE CASE SENSITIVE!
'token.actions.githubusercontent.com:sub': ['repo:asfadmin/Discovery-SearchUI']
StringEqualsIgnoreCase:
'token.actions.githubusercontent.com:aud': sts.amazonaws.com
Policies:
- PolicyName: OidcSafetyPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: OidcSafeties
Effect: Deny
Action:
- sts:AssumeRole
Resource: "*"
- PolicyName: GitHubActionsDeployPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowS3SyncActions
Effect: Allow
Action:
- s3:DeleteObject
- s3:GetBucketLocation
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Resource:
- arn:aws:s3:::search-ui-custom-deployments
- arn:aws:s3:::search-ui-custom-deployments/*
- PolicyName: CloudfrontInvalidation
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowInvalidations
Effect: Allow
Action:
- cloudfront:CreateInvalidation
Resource: "*"


# This is the OIDC provider hookup itself. This tells AWS to delegate authN GitHub
GitHubActionsOidcProvider:
Type: AWS::IAM::OIDCProvider
Properties:
ClientIdList:
- sts.amazonaws.com
ThumbprintList:
- 6938fd4d98bab03faadb97b34396831e3780aea1
Url: https://token.actions.githubusercontent.com

0 comments on commit 3fff580

Please sign in to comment.