grunge-stack icon indicating copy to clipboard operation
grunge-stack copied to clipboard
verified publisher icon remix-run

Do not recommend creating long lived credentials for Github Actions

Open thdxr opened this issue 4 years ago • 4 comments

This is no longer required and I'd love to not see new projects start off using this legacy approach. AWS + Github can auth through OIDC

Article explaining what I'm talking about: https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html

Example cfn

Parameters:
  FullRepoName:
    Type: String
    Default: <full-repo-name>
Resources:
  Role:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: github
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AdministratorAccess'
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: 'sts:AssumeRoleWithWebIdentity'
            Principal:
              Federated: !Ref GithubOidc
            Condition:
              StringLike:
                'token.actions.githubusercontent.com:sub': !Sub 'repo:${FullRepoName}:*'
  GithubOidc:
    Type: 'AWS::IAM::OIDCProvider'
    Properties:
      Url: 'https://token.actions.githubusercontent.com'
      ThumbprintList:
        - 6938fd4d98bab03faadb97b34396831e3780aea1
      ClientIdList:
        - "sts.amazonaws.com"
Outputs:
  Role:
    Value: !GetAtt Role.Arn

Example step in github

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: <role>
          aws-region: us-east-1

thdxr avatar Mar 17 '22 20:03 thdxr

That's great! Easier is definitely better :)

cc @tbeseda, could you verify this will work for Arc?

I'd definitely be open to a PR for this if it works well :)

kentcdodds avatar Mar 17 '22 20:03 kentcdodds

I considered a PR but I imagine you'd want to would want to figure out how to do some of this stuff automatically (and should maybe be handled in arc?) so figured I'd leave it up to you all for design

thdxr avatar Mar 17 '22 20:03 thdxr

cc @tbeseda, could you verify this will work for Arc?

Hey, yeah this definitely works 👍 I created a test repo here https://github.com/tbeseda/arc-gha-aws-oidc The deployed app is live here https://b5haybpklc.execute-api.us-west-2.amazonaws.com/ (not Remix, just a Node fn)

Easier is definitely better :)

This approach is great, IMO. but I'm not sure how to express the process to the developer. It involves creating a couple IAM resources; probably easiest to do by deploying a CloudFormation stack (like @thdxr's example above), which can be done from the AWS Console or with the aws CLI. I'll talk to folks on the Arc team to see how this step could be streamlined for a grunge-stack user.

tbeseda avatar Mar 18 '22 16:03 tbeseda

I took the approach of setting up a one-time GitHub actions job in the repo that performs the bootstrapping.

The solution looks something like this.

  1. Create a new project with grunge-stack, the GitHub workflow is already there.
  2. Trigger the workflow manually by entering credentials that have privileges to create OIDC providers.
  3. Use the role to assume the creds in the deploy actions

Source: https://dev.to/simonireilly/secure-aws-cdk-deployments-with-github-actions-3jfk

I've done so with the AWS CDK but that just makes cloudformation under the hood :+1:

simonireilly avatar Apr 10 '22 06:04 simonireilly