I am trying to deploy a lambda function through GitHub actions and OIDC on AWS. It was working file when I hardcoded role-to-assume
as a plain string. But this is not a ideal approach for me and I would like to parameterize it. I tried giving the AccountId as a secret and tried using it as a environment variable but it does not work. It gives a error saying Request ARN is invalid
Here is my workflow
name: AWS deploy CI/CD
on:
push:
branches: [ main ]
permissions:
id-token: write
contents: read
jobs:
buildAndDeploy:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x]
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Set up Node
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- name: Run lint
run: npm run lint
- name: Build dist
run: npm run build
- name: Configure AWS Credentials
env:
ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume: arn:aws:iam::$ACCOUNT_ID:role/github-actions-role
- name: Deploy to Lambda
run: npm run deploy
Can someone tell me what I am doing wrong?
2
Answers
The following worked for me. For the ones who might run into the same topic, here is the solution. I removed assigning of the secrets to env variables and directly assigned them where necessary.
Have you made sure that your IAM role in AWS has a trust policy associated with the GitHub repo/organization?