skip to Main Content

I am trying to deploy a lambda function through GitHub actions and OIDC on AWS. It was working file when I hardcoded role-to-assume as a plain string. But this is not a ideal approach for me and I would like to parameterize it. I tried giving the AccountId as a secret and tried using it as a environment variable but it does not work. It gives a error saying Request ARN is invalid

Here is my workflow

name: AWS deploy CI/CD

on:
  push:
    branches: [ main ]

permissions:
  id-token: write
  contents: read

jobs:
  buildAndDeploy:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [14.x]
        
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: Set up Node
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
      - name: Run lint
        run: npm run lint
      - name: Build dist
        run: npm run build
      - name: Configure AWS Credentials
        env:
          ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::$ACCOUNT_ID:role/github-actions-role
      - name: Deploy to Lambda
        run: npm run deploy

enter image description here

Can someone tell me what I am doing wrong?

2

Answers


  1. Chosen as BEST ANSWER

    The following worked for me. For the ones who might run into the same topic, here is the solution. I removed assigning of the secrets to env variables and directly assigned them where necessary.

    name: AWS deploy CI/CD
    
    on:
      push:
        branches: [ main ]
    
    permissions:
      id-token: write
      contents: read
    
    jobs:
      buildAndDeploy:
    
        runs-on: ubuntu-latest
    
        strategy:
          matrix:
            node-version: [14.x]
            
        steps:
          - name: Git clone the repository
            uses: actions/checkout@v3
          - name: Set up Node
            uses: actions/setup-node@v3
            with:
              node-version: ${{ matrix.node-version }}
          - run: npm ci
          - name: Run lint
            run: npm run lint
          - name: Build dist
            run: npm run build
          - name: Configure AWS Credentials
            uses: aws-actions/configure-aws-credentials@v1
            with:
              aws-region: eu-west-1
              role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
          - name: Deploy to Lambda
            run: npm run deploy -- --param="S3_BUCKET=${{ secrets.S3_BUCKET }}"
    

  2. Have you made sure that your IAM role in AWS has a trust policy associated with the GitHub repo/organization?

    {
        "Version": "2008-10-17",
        "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:organization_name/repository_name:*"
                }
            }
        }]
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search