Question 39044 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Using GitHub Actions to sync repo to S3 – OIDC – Ubuntu

I am working on syncing my GitHub repo with S3 bucket and I don’t want to pass my AWS credentials as GitHub secrets. I already tried passing my credentials through GitHub secret and the code works. However, when I try to get GitHub to assume a role to perform the operations, I keep getting errors. Please see the code and images below.

GitHub main.yml

name: Upload Website
on:
  push:
    branches:
    - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
      - name: Git checkout
        uses: actions/checkout@v3


      - name: Configure AWS credentials from AWS account
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: ${{ secrets.AWS_ROLE }}[
          aws-region: ${{ secrets.AWS_REGION }}
          role-session-name: GitHub-OIDC-frontend
      

      - uses: actions/checkout@master
      - uses: jakejarvis/s3-sync-action@master
        with:
          args: --follow-symlinks --exclude '.git/*' --exclude '.github/*' 
        env:
          AWS_REGION: ${{ secrets.AWS_REGION }}
          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}

      - name: Invalidate CloudFront
        uses: chetan/invalidate-cloudfront-action@v2
        env:
          DISTRIBUTION: ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
          PATHS: "/index.html"

AWS ROLE POLICY

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::************:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:ACCOUNT_ID/REPO_NAME:*",
                        "repo:ACCOUNT_ID/REPO_NAME:*"
                    ],
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}

GITHUB ERROR

Run aws-actions/configure-aws-credentials@v1
  with:
    role-to-assume: ***
    aws-region: ***
    role-session-name: GitHub-OIDC-frontend
    audience: sts.amazonaws.com
  
Error: Not authorized to perform sts:AssumeRoleWithWebIdentity
Tags:

2

Answers


  1. 0

    Did you set the claim_keys via the Github REST API?

    If you are using the github cli, it looks something like this

    gh api /repos/ACCOUNT_ID/REPO_NAME/actions/oidc/customization/sub --method PUT --input ./body.txt

    where body.txt looks like

    {"use_default":false,"include_claim_keys":["repo"]}

    Im also curious if there is an issue with your token.actions.githubusercontent.com:sub values. Is that star just explicitly allowing any other claims in? You may want (or need) to knock that down to just repo:ACCOUNT_ID/REPO_NAME.

    Login or Signup to reply.
  2. 0

    Why not create an user? Here is a solution similar to the problem described.

    # Workflow name
name: S3 Deploy

on:
  workflow_dispatch:
  push:
    paths:
      - 'app/**'
      - '.github/workflows/deploy.yml'


jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: sa-east-1
      BUCKET_NAME: caiogomes.me
    steps:
        - name: Install hugo
          run: sudo apt install hugo

        - name: Install aws cli
          id: install-aws-cli
          uses: unfor19/install-aws-cli-action@v1
          with:
            version: 2
            verbose: false
            arch: amd64
            rootdir: ""
            workdir: "" 

        - name: Set AWS credentials
          run: export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} && export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}

        - name: Checkout repository
          uses: actions/checkout@v3
          with:
            submodules: 'true'

        - name: Build
          run: cd app/ && hugo

        - name: Upload files to S3
          run: aws s3 sync app/public/ s3://${{ env.BUCKET_NAME }}/ --exact-timestamps --delete

  create-cloudfront-invalidation:
    needs: build-and-deploy
    runs-on: ubuntu-latest
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_DEFAULT_REGION: sa-east-1
      CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }}
    steps:
      - name: Install aws cli
        id: install-aws-cli
        uses: unfor19/install-aws-cli-action@v1
        with:
          version: 2
          verbose: false
          arch: amd64
          rootdir: ""
          workdir: "" 

      - name: Set AWS credentials
        run: export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} && export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}

      - name: Invalidate clodufront distribution
        run: aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} --paths "/*"

    Here is the repo: https://github.com/caiocsgomes/caiogomes.me

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search