Question 179760 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – CDK deploy with 2 repositories using the same OpenID Connect provider URL in AWS

I have 2 repositories with a Github CDK stack deploying to the same AWS account, and both repositories use the same OpenID Connect provider URL (https://token.actions.githubusercontent.com),
is it not possible as the OpenID Connect provider URL needs to be unique ?
is there any workaround ?

I tried changing the id of the provider, the id of the stack and the role, but always the same error.

import { GithubActionsIdentityProvider, GithubActionsRole } from 'aws-cdk-github-oidc';
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';

export interface GITHUB_STACK_CONFIG {
  owner: string;
  repo: string;
  stage: string;
  policy?: iam.IManagedPolicy;
}

export class GithubStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props: cdk.StackProps & GITHUB_STACK_CONFIG) {
    super(scope, id, props);

    const { owner, repo, stage } = props;
    let { policy } = props;
    if (!policy) {
      policy = iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess');
    }

    const provider = new GithubActionsIdentityProvider(this, 'GithubProviderWeb');
    const deployRole = new GithubActionsRole(this, 'DeployRole2', {
      provider,
      owner,
      repo,
      filter: `ref:refs/heads/env/${stage}`,
      roleName: 'IAC-2-DeployRole',
      description: 'This role is used by Github to Deploy into this account',
      maxSessionDuration: cdk.Duration.hours(2),
    });

    deployRole.addManagedPolicy(policy);
  }
}
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I found a workaround that in the stack I provide the two deployRoles and then I copied the same stack in my other repository, let me know if there is a better solution..


  2. 0

    You can only create the provider once per account. So only one stack should create the provider. All other stacks should reference the existing provider using the fromAccount method.

    // create the provider (must not exist!)
const provider = GithubActionsIdentityProvider(this, 'GithubProvider');
// use an existing provider
const provider = GithubActionsIdentityProvider.fromAccount(this, 'GithubProvider');

    The id provided does not matter; they can be the same or different — ids are basically only relevant within each stack. Different stacks can use the same ids without issue.

    What you might want to do is have an independent stack for your identity providers in the account. Then all of your other various repositories can just use the fromAccount method.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search