Overview

Connecting to your AWS account from GitHub actions does not require generating an API key and there is a simpler and secure way to authenticate.

GitHub docs recommend using OIDC for authenticating from Actions. I also highly recommend this method!

I have seen a ton of articles online where this is the demonstrated method of connecting from actions is still using an account key. This is definitely NOT the preferred and secured method of accessing your cloud resources.

Let’s cover how we can quickly and securely set this up for an AWS account.

Add GitHub’s OpenID Connect Provider to AWS

You can do this via the AWS CLI or the AWS Console. You can find the AWS docs link here.

If you prefer to use the AWS CLI, you can do this by running the following command.

1
2
3
4

aws iam create-open-id-connect-provider \
--url "https://token.actions.githubusercontent.com" \
--thumbprint-list "6938fd4d98bab03faadb97b34396831e3780aea1" \
--client-id-list 'sts.amazonaws.com'

If you prefer to use the AWS Console, you can do this by going to the IAM service and clicking on the OIDC providers tab.

add-oidc-via-ui

Add AWS OIDC Provider

Create an IAM Role for GitHub Actions

Next, we are going to create a role that will be used by GitHub Actions to access the AWS account.

aws-trusted-entity

Add AWS Trusted Entity

Configure Role Name and Description

From here, we add the role name and description to our new role.

role-name

Add the role name and description

Attach a Permission Policy

Add a permission policy to the role, in this case, we are going to allow the role to invoke a lambda function.

add-iam-permission

Add permission policy to your new role

Configure GitHub Repository

Once the IAM role is created with the policy attached, we can move over to our GitHub repository.

Add AWS Role ARN to GitHub Variables

In this next example, we can set the ARN in the actions variables section. (This is optional and my personal preference versus that of hardcoding it in the workflow file).

The variable name that I used here was AWS_ROLE_ARN.

github-add-variable

Add IAM role ARN to GitHub Actions environment variable

Create the GitHub Actions Workflow

We need to create a yaml workflow file for our GitHub repository. This file goes in the .github/workflows directory.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

name: Invoke Lambda via GitHub Actions

on:
  push:
    branches: [ "main" ]
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write # required for auth with AWS
      contents: read # required for actions/checkout

    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v5.0.0
        with:
          aws-region: us-west-2
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}

      - name: Invoke Lambda on AWS
        env:
          LAMBDA_NAME: "sam-app-HelloWorldFunction-bkN2jYKCwIce"
        run: |
          aws lambda invoke \
            --function-name ${{ env.LAMBDA_NAME }} \
            --no-cli-pager \
            /dev/stdout

Test the Workflow

With the file now added to our repository, we can trigger a workflow dispatch to see the results of our new workflow that we created and the results of the lambda function invocation with authentication via OIDC.

github-workflow-dispatch

GitHub Actions workflow results from workflow dispatch

Conclusion

I hope you found this helpful and you can now securely connect to your AWS account from GitHub Actions.