GitHub OIDC

Part of Setup your AWS environment.

Set up GitHub OIDC to let GitHub Actions assume AWS roles for CI/CD without long-lived credentials. Configured via the iam package.

Step 1: Add and configure the iam package

repo-iac/environments/dev/

ok pkg add iam

In package-config.yml, enable GithubIdentityProvider:

iam/package-config.yml

StackName: "iam"
GithubIdentityProvider:
  Enable: true

Only one per account

You can only have one GithubIdentityProvider enabled per account. If already enabled in a different environment, you cannot enable it here.

Enabling it will cause an error when applying the stack.

Step 2: Install and apply the package

iam/

ok pkg install
terraform init
terraform apply

Step 3: Verify

AWS CLIAWS console

aws iam list-open-id-connect-providers | jq '.OpenIDConnectProviderList[].Arn'

Output should contain a provider with token.actions.githubusercontent.com in the ARN.

Sign in to the AWS console and navigate to IAM. Select Identity Providers.

List should contain provider token.actions.githubusercontent.com.

---

You're done with CI/CD for IaC. We'll revisit CI/CD after setting up the application.

Next step

Set up application common.