Configure AWS credential and region environment variables for use in other GitHub Actions. The environment variables will be detected by both the AWS SDKs and the AWS CLI to determine the credentials and region to use for AWS API calls.
Table of Contents
Add the following step to your workflow:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }} # if you have/need it
aws-region: us-east-2For example, you can use this action with the AWS CLI available in GitHub's hosted virtual environments. You can also run this action multiple times to use different AWS accounts, regions, or IAM roles in the same GitHub Actions workflow job.
jobs:
deploy:
name: Upload to Amazon S3
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Configure AWS credentials from Test account
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.TEST_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.TEST_AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Copy files to the test website with the AWS CLI
run: |
aws s3 sync . s3://my-s3-test-website-bucket
- name: Configure AWS credentials from Production account
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Copy files to the production website with the AWS CLI
run: |
aws s3 sync . s3://my-s3-prod-website-bucketSee action.yml for the full documentation for this action's inputs and outputs.
We recommend following Amazon IAM best practices for the AWS credentials used in GitHub Actions workflows, including:
- Do not store credentials in your repository's code. You may use GitHub Actions secrets to store credentials and redact credentials from GitHub Actions workflow logs.
- Create an individual IAM user with an access key for use in GitHub Actions workflows, preferably one per repository. Do not use the AWS account root user access key.
- Grant least privilege to the credentials used in GitHub Actions workflows. Grant only the permissions required to perform the actions in your GitHub Actions workflows.
- Rotate the credentials used in GitHub Actions workflows regularly.
- Monitor the activity of the credentials used in GitHub Actions workflows.
If you would like to use the static credentials you provide to this action to assume a role, you can do so by specifying the role ARN in role-to-assume.
The role credentials will then be configured in the Actions environment instead of the static credentials you have provided.
The default session duration is 6 hours, but if you would like to adjust this you can pass a duration to role-duration-seconds.
The default session name is GitHubActions, and you can modify it by specifying the desired name in role-session-name.
Example:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-2
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-external-id: ${{ secrets.AWS_ROLE_EXTERNAL_ID }}
role-duration-seconds: 1200
role-session-name: MySessionNameIn this example, the secret AWS_ROLE_TO_ASSUME contains a string like arn:aws:iam::123456789100:role/my-github-actions-role. To assume a role in the same account as the static credentials, you can simply specify the role name, like role-to-assume: my-github-actions-role.
In order to assume a role, the IAM user for the static credentials must have the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": "arn:aws:iam::123456789012:role/my-github-actions-role",
"Effect": "Allow"
}
]
}The role's trust policy must allow the IAM user to assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIamUserAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::123456789012:user/my-github-actions-user"},
"Condition": {
"StringEquals": {"sts:ExternalId": "Example987"}
}
},
{
"Sid": "AllowPassSessionTags",
"Effect": "Allow",
"Action": "sts:TagSession",
"Principal": {"AWS": "arn:aws:iam::123456789012:user/my-github-actions-user"}
}
]
}The session will have the name "GitHubActions" and be tagged with the following tags:
(GITHUB_ environment variable definitions can be found here)
| Key | Value |
|---|---|
| GitHub | "Actions" |
| Repository | GITHUB_REPOSITORY |
| Workflow | GITHUB_WORKFLOW |
| Action | GITHUB_ACTION |
| Actor | GITHUB_ACTOR |
| Branch | GITHUB_REF |
| Commit | GITHUB_SHA |
Note: all tag values must conform to the requirements. Particularly, GITHUB_WORKFLOW will be truncated if it's too long. If GITHUB_ACTOR or GITHUB_WORKFLOW contain invalid charcters, the characters will be replaced with an '*'.
The action will use session tagging by default during role assumption. You can skip this session tagging by providing role-skip-session-tagging as true in the action's inputs:
uses: aws-actions/configure-aws-credentials@v1
with:
role-skip-session-tagging: trueIf you run your GitHub Actions in a self-hosted runner that already has access to AWS credentials, such as an EC2 instance, then you do not need to provide IAM user access key credentials to this action.
If no access key credentials are given in the action inputs, this action will use credentials from the runner environment using the default methods for the AWS SDK for Javascript.
You can use this action to simply configure the region and account ID in the environment, and then use the runner's credentials for all AWS API calls made by your Actions workflow:
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-east-2In this case, your runner's credentials must have permissions to call any AWS APIs called by your Actions workflow.
Or, you can use this action to assume a role, and then use the role credentials for all AWS API calls made by your Actions workflow:
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-east-2
role-to-assume: my-github-actions-roleIn this case, your runner's credentials must have permissions to assume the role.
This workflow does not install the AWS CLI into your environment. Self-hosted runners that intend to run this action prior to executing aws commands need to have the AWS CLI installed if it's not already present.
Most GitHub hosted runner environments should include the AWS CLI by default.
This code is made available under the MIT license.
If you would like to report a potential security issue in this project, please do not create a GitHub issue. Instead, please follow the instructions here or email AWS security directly.