https://docs.github.com/ko/actions/quickstart
OpenID Connect ( OIDC ) 연결 필요
- Oauth 2.0 framework 기반으로 만들어진 identity layer
- 3rd party app 사용자의 identity를 검증하고 프로필을 얻는데 활용
- github에서 AWS에 접근 권한 요청시에 짧은 시간동안 유효한 토큰을 발급. 해당 토큰을 이용해 자원에 접근함
- identity providers에서 add
- https://token.actions.githubusercontent.com, sts.amazonaws.com 추가
- Create role
- atlantis때처럼 adminaccess주기 ( terraform apply 칠꺼니까... )
- configure aws credentials 설정
# Sample workflow to access AWS resources when workflow is tied to branch
# The workflow Creates static website using aws s3
name: AWS example workflow
on:
push
env:
BUCKET_NAME : "<example-bucket-name>"
AWS_REGION : "<example-aws-region>"
# permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
S3PackageUpload:
runs-on: ubuntu-latest
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::1234567890:role/example-role
role-session-name: samplerolesession
aws-region: ${{ env.AWS_REGION }}
# Upload a file to AWS s3
- name: Copy index.html to s3
run: |
aws s3 cp ./index.html s3://${{ env.BUCKET_NAME }}/
Are you nervous? Don't be