-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Create a construct to create IAM resources for GitHub Actions #823
Conversation
a97de1e
to
9c4ebb4
Compare
exports[`The GitHubActionsRole construct should create the correct resources with minimal config 1`] = ` | ||
Object { | ||
"Outputs": Object { | ||
"GithubActionsRoleGithubActionsRoleArnC13D9654": Object { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not the best auto-generated Output name...
With https://github.com/guardian/actions-assume-aws-role we're able to Assume Role within GitHub Actions. This change introduces a construct to simplify the creation of this role. The `GuGithubActionsRole` construct creates the three required resources: - `AWS::IAM::Policy` - `AWS::IAM::Role` - `AWS::IAM::OIDCProvider` This allows teams to do: ```typescript new GuGithubActionsRole(stack, { policies: [ new GuGetS3ObjectsPolicy(stack, "GetObjects", { bucketName: "super-secret-stuff", }), ], }); ``` Which is smaller than the YAML alternative: ```yaml GitHubBucketAccessPolicy: Type: AWS::IAM::Policy Properties: PolicyName: GitHubBucketAccessPolicy PolicyDocument: Statement: Action: - s3:GetObject Effect: Allow Resource: - arn:aws:s3:::super-secret-stuff/* Roles: - Ref: GitHubRole GitHubRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: !Ref GitHubOidc Condition: StringLike: vstoken.actions.githubusercontent.com:sub: repo:guardian/* GitHubOidc: Type: AWS::IAM::OIDCProvider Properties: Url: https://vstoken.actions.githubusercontent.com ClientIdList: [sigstore] ThumbprintList: [a031c46782e6e6c662c2c87c76da9aa62ccabd8e] ```
9c4ebb4
to
ee70378
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a CDK expert but the typescript looks good to me!
🎉 This PR is included in version 26.3.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
This is an update to the construct that creates IAM resources for GitHub Actions, first introduced with #823 in early October 2021. Apparently the `ClientIdList` field should no longer be `sigstore`, as of 19th October 2021: aws-actions/configure-aws-credentials#291 aws-actions/configure-aws-credentials#280 (comment) aws-actions/configure-aws-credentials#284 The new value is `sts.amazonaws.com`, which I think corresponds to this line in the docs: > For the "Audience": Use sts.amazonaws.com if you are using the official action. https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-the-identity-provider-to-aws With the old value of `sigstore` in the `AWS::IAM::OIDCProvider` `ClientIdList` field, running the `aws-actions/configure-aws-credentials` GitHub Action will give you a "Error: Incorrect token audience" error: https://github.com/guardian/facia-scala-client/runs/7025740057?check_suite_focus=true#step:3:6
What does this change?
With https://github.com/guardian/actions-assume-aws-role we're able to Assume Role within GitHub Actions.
This change introduces a construct to simplify the creation of this role.
The
GuGithubActionsRole
construct creates the three required resources:AWS::IAM::Policy
AWS::IAM::Role
AWS::IAM::OIDCProvider
This allows teams to do:
Which is smaller than the YAML alternative:
Does this change require changes to existing projects or CDK CLI?
No.
Does this change require changes to the library documentation?
Yes and is done.
How to test
See added tests.
How can we measure success?
Less YAML, fewer mistakes 🎉 .
Have we considered potential risks?
Is the reasoning behind
GitHubOidcProvider
clear enough?