This repository contains a simple example Github Action pipeline that uploads a text file to S3 whenever a contributor pushes to the main branch. The pipeline is configured to use ephemeral AWS credentials through OpenID Connect (OIDC), this is done using aws-actions/configure-aws-credential. In addition, the source contains an AWS Cloud Development Kit (CDK) application that defines all of the required, including the OIDC provider.
Github provides a built-in mechanism to automate development workflows through Github actions. Workflows can include anything from building a package, to deploying code to infrastructure. Integrating workflows with AWS services is a common use case, however, many tutorials suggest the path of least resistance - introducing sharp edges. Sharp edges in this context includes the use of:
- Long lasting IAM principals
- Overly permissive policies
- Accidentally exposing sensitive data
- Not leveraging github repository secrets
- Sharing AWS credentials with untrusted open source github actions
This repository demonstrates a modern CDK example that avoids these sharp edges.