mirror of
https://github.com/aws-actions/configure-aws-credentials.git
synced 2026-03-15 09:20:58 -04:00
6047a42774
* init examples * restructure * example versions Co-authored-by: Tom Keller <1083460+kellertk@users.noreply.github.com>
83 lines
2.4 KiB
YAML
83 lines
2.4 KiB
YAML
---
|
|
AWSTemplateFormatVersion: "2010-09-09"
|
|
Description: Github Actions configuration - OIDC IAM IdP and associated role CI/CD
|
|
|
|
Parameters:
|
|
|
|
GitHubOrganization:
|
|
Type: String
|
|
Description: This is the root organization or personal account where repos are stored (Case Sensitive)
|
|
|
|
RepositoryName:
|
|
Type: String
|
|
Description: The repo(s) these roles will have access to. (Use * for all org or personal repos)
|
|
Default: "*"
|
|
|
|
BranchName:
|
|
Type: String
|
|
Description: Name of the git branch to to trust. (Use * for all branches)
|
|
Default: "*"
|
|
|
|
RoleName:
|
|
Type: String
|
|
Description: Name the Role
|
|
|
|
UseExistingProvider:
|
|
Type: String
|
|
Description: "Only one GitHub Provider can exists. Choose yes if one is already present in account"
|
|
Default: "no"
|
|
AllowedValues:
|
|
- "yes"
|
|
- "no"
|
|
|
|
Conditions:
|
|
|
|
CreateProvider: !Equals ["no", !Ref UseExistingProvider]
|
|
|
|
Resources:
|
|
|
|
IdpGitHubOidc:
|
|
Type: AWS::IAM::OIDCProvider
|
|
Condition: CreateProvider
|
|
Properties:
|
|
Url: https://token.actions.githubusercontent.com
|
|
ClientIdList:
|
|
- sts.amazonaws.com
|
|
- !Sub https://github.com/${GitHubOrganization}/${RepositoryName}
|
|
ThumbprintList:
|
|
- 6938fd4d98bab03faadb97b34396831e3780aea1
|
|
Tags:
|
|
- Key: Name
|
|
Value: !Sub ${RoleName}-OIDC-Provider
|
|
|
|
RoleGithubActions:
|
|
Type: AWS::IAM::Role
|
|
Properties:
|
|
RoleName: !Ref RoleName
|
|
AssumeRolePolicyDocument:
|
|
Statement:
|
|
- Effect: Allow
|
|
Action: sts:AssumeRoleWithWebIdentity
|
|
Principal:
|
|
Federated: !If
|
|
- CreateProvider
|
|
- !Ref IdpGitHubOidc
|
|
- !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
|
|
Condition:
|
|
StringLike:
|
|
token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrganization}/${RepositoryName}:ref:refs/heads/${BranchName}
|
|
ManagedPolicyArns:
|
|
## edit the managed policy to give least privileges
|
|
- !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess
|
|
|
|
Outputs:
|
|
|
|
IdpGitHubOidc:
|
|
Condition: CreateProvider
|
|
Description: "ARN of Github OIDC Provider"
|
|
Value: !GetAtt IdpGitHubOidc.Arn
|
|
|
|
RoleGithubActionsARN:
|
|
Description: "CICD Role for GitHub Actions"
|
|
Value: !GetAtt RoleGithubActions.Arn
|