Skip to content

Jareechang/github-oidc-example-granular-permissions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github/workflows
.github/workflows
 
 
images
images
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
index.html
index.html
 
 
main.tf
main.tf
 
 
output.tf
output.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Github OpenID connect with AWS (Granular permissions)

This is an example of Github Actions deployment to AWS with OpenID connect (OIDC) using terraform.

Building on our example. We address a few problems related to permissions where it works for all workflows (pull requests, all branches and forks).

We want more granularity, which is what we are doing here.

Changes

So, there are a few things we need to change:

  • Create Separate the IAM roles (one for pull request, and deployment)
  • Update our Subject filter and the condition operators
  • Separate github actions workflows (pull request and deployment)

Separate roles

Deployment (write only)

Deployment role

Pull request (read only)

Pull request role

Full Tutorial

Full article available at jerrychang.ca - Security harden Github Action deployments to AWS with OIDC

About

Github OpenID Connect with granular permissions

Topics

aws terraform aws-s3 iam oidc iam-role authetication githubactions

Resources

Readme
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages