Last active
March 24, 2024 04:08
-
-
Save badideasforsale/ad0219f5409bb66d3d5b71a3d5ee016a to your computer and use it in GitHub Desktop.
Create OIDC connection for GitHub Actions to use in AWS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Get role name, git org or user, and git repo | |
# If not set, error out later | |
# @TODO: add help text | |
# @TODO: verify org/repo are not wildcards | |
while getopts ":r:o:g:h" opt; do | |
case $opt in | |
r) ROLE_NAME="$OPTARG" | |
;; | |
o) GIT_ORG="$OPTARG" | |
;; | |
g) GIT_REPO="$OPTARG" | |
;; | |
h) echo "Usage: $0 -r <role_name> -o <git_org> -g <git_repo>" | |
exit 0 | |
;; | |
:) | |
echo "$0: Must supply an argument to -$OPTARG." >&2 | |
exit 1 | |
;; | |
\?) echo "Invalid option -$OPTARG" >&2 | |
;; | |
esac | |
done | |
# Check if required options are set | |
if [ -z "$ROLE_NAME" ]; then | |
echo "Must supply a role name with -r" | |
exit 1 | |
fi | |
if [ -z "$GIT_ORG" ]; then | |
echo "Must supply a git org or user with -o" | |
exit 1 | |
fi | |
if [ -z "$GIT_REPO" ]; then | |
echo "Must supply a git repo with -g" | |
exit 1 | |
fi | |
# check if aws cli is installed | |
which aws > /dev/null | |
if [ $? -ne 0 ]; then | |
echo "aws cli is not installed" | |
exit 1 | |
fi | |
# Prerequisites are met, continue with script | |
# get aws account id and check credentials are active | |
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) | |
if [ -z "$AWS_ACCOUNT_ID" ]; then | |
echo "AWS account ID not found -- do you have AWS credentials configured?" | |
exit 1 | |
fi | |
echo "Creating an OpenID Connect provider for GitHub Actions in AWS account ${AWS_ACCOUNT_ID}" | |
# The thumbprint is required to create the OIDC provider when done via CLI, but will be ignored by AWS for GitHub Actions | |
aws iam create-open-id-connect-provider \ | |
--url https://token.actions.githubusercontent.com \ | |
--thumbprint-list 1b511abead59c6ce207077c0bf0e0043b1382612 \ | |
--client-id-list sts.amazonaws.com \ | |
# Build trust policy specifying the org/repo | |
# This could be further restricted by replacing the wildcard with a particular environment and branch | |
ARPD_FILE=$(mktemp) | |
cat<<EOF>"${ARPD_FILE}" | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" | |
}, | |
"Action": "sts:AssumeRoleWithWebIdentity", | |
"Condition": { | |
"StringLike": { | |
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com", | |
"token.actions.githubusercontent.com:sub": "repo:${GIT_ORG}/${GIT_REPO}:*" | |
} | |
} | |
} | |
] | |
} | |
EOF | |
echo "Creating IAM role ${ROLE_NAME} with trust policy allowing GitHub Actions to assume it" | |
echo "Only actions stemming from the ${GIT_ORG}/${GIT_REPO} repo will be allowed to assume this role" | |
aws iam create-role \ | |
--role-name "$ROLE_NAME" \ | |
--assume-role-policy-document "file://${ARPD_FILE}" | |
echo "Now create and attach a policy to ${ROLE_NAME} that allows it to do whatever your heart desires" | |
echo "This is left as an exercise for the reader 🫶" | |
# this is a backslash | |
# \ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment