Skip to content

Commit 9dab1b3

Browse files
karimzakzoukkarimzakzouk
committed
Refactor AWS credentials configuration to use OIDC for enhanced security across workflows
1 parent 1b95871 commit 9dab1b3

File tree

7 files changed

+127
-24
lines changed

7 files changed

+127
-24
lines changed

.github/workflows/argocd.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,10 @@ jobs:
3838
- name: Checkout Repository
3939
uses: actions/checkout@v5
4040

41-
- name: Login to AWS
42-
uses: aws-actions/configure-aws-credentials@v4.3.1
41+
- name: Configure AWS credentials via OIDC
42+
uses: aws-actions/configure-aws-credentials@v4
4343
with:
44-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
45-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
44+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsInfraRole
4645
aws-region: us-east-1
4746

4847
- name: Update kubeconfig

.github/workflows/deploy.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,10 @@ jobs:
3838
- name: Checkout Repository
3939
uses: actions/checkout@v5
4040

41-
- name: Login to AWS
42-
uses: aws-actions/configure-aws-credentials@v4.3.1
41+
- name: Configure AWS credentials via OIDC
42+
uses: aws-actions/configure-aws-credentials@v4
4343
with:
44-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
45-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
44+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsInfraRole
4645
aws-region: us-east-1
4746

4847
- name: Update kubeconfig

.github/workflows/destroy.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,10 @@ jobs:
2828
exit 1
2929
fi
3030
31-
- name: Login to AWS
32-
uses: aws-actions/configure-aws-credentials@v4.3.1
31+
- name: Configure AWS credentials via OIDC
32+
uses: aws-actions/configure-aws-credentials@v4
3333
with:
34-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
35-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
34+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsInfraRole
3635
aws-region: us-east-1
3736

3837
- name: Setup Terraform

.github/workflows/endpoints.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,11 +35,10 @@ jobs:
3535
runs-on: ubuntu-latest
3636
environment: production
3737
steps:
38-
- name: Login to AWS
39-
uses: aws-actions/configure-aws-credentials@v4.3.1
38+
- name: Configure AWS credentials via OIDC
39+
uses: aws-actions/configure-aws-credentials@v4
4040
with:
41-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
42-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
41+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsInfraRole
4342
aws-region: us-east-1
4443

4544
- name: Update kubeconfig

.github/workflows/monitoring.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,13 +39,13 @@ jobs:
3939
- name: Checkout Repository
4040
uses: actions/checkout@v5
4141

42-
- name: Login to AWS
43-
uses: aws-actions/configure-aws-credentials@v4.3.1
42+
- name: Configure AWS credentials via OIDC
43+
uses: aws-actions/configure-aws-credentials@v4
4444
with:
45-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
46-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
45+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsInfraRole
4746
aws-region: us-east-1
4847

48+
4949
- name: Update kubeconfig
5050
run: aws eks update-kubeconfig --name ${{ inputs.cluster_name }} --region us-east-1
5151

.github/workflows/terraform.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,11 +39,10 @@ jobs:
3939
- name: Checkout Repository
4040
uses: actions/checkout@v5
4141

42-
- name: Login to AWS
43-
uses: aws-actions/configure-aws-credentials@v4.3.1
42+
- name: Configure AWS credentials via OIDC
43+
uses: aws-actions/configure-aws-credentials@v4
4444
with:
45-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
46-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
45+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/GitHubActionsInfraRole
4746
aws-region: us-east-1
4847

4948
- name: Setup Terraform

backend/main.tf

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,3 +33,111 @@ resource "aws_dynamodb_table" "terraform_locks" {
3333
Name = "TerraformLocks"
3434
}
3535
}
36+
# ----------------------------
37+
# IAM OIDC Provider for GitHub
38+
# ----------------------------
39+
resource "aws_iam_openid_connect_provider" "github" {
40+
url = "https://token.actions.githubusercontent.com"
41+
client_id_list = ["sts.amazonaws.com"]
42+
thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
43+
}
44+
45+
# ----------------------------
46+
# IAM Role for GitHub Actions (Scoped)
47+
# ----------------------------
48+
resource "aws_iam_role" "github_actions_infra_role" {
49+
name = "GitHubActionsInfraRole"
50+
51+
assume_role_policy = jsonencode({
52+
Version = "2012-10-17",
53+
Statement = [
54+
{
55+
Effect = "Allow",
56+
Principal = {
57+
Federated = aws_iam_openid_connect_provider.github.arn
58+
},
59+
Action = "sts:AssumeRoleWithWebIdentity",
60+
Condition = {
61+
StringEquals = {
62+
# Replace with your repo path
63+
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
64+
"token.actions.githubusercontent.com:sub" = "repo:YOUR_GITHUB_USER/YOUR_REPO:ref:refs/heads/main"
65+
}
66+
}
67+
}
68+
]
69+
})
70+
}
71+
72+
# ----------------------------
73+
# Scoped Policy for Infra Role
74+
# ----------------------------
75+
resource "aws_iam_role_policy" "github_actions_infra_policy" {
76+
name = "GitHubActionsInfraPolicy"
77+
role = aws_iam_role.github_actions_infra_role.id
78+
79+
policy = jsonencode({
80+
Version = "2012-10-17",
81+
Statement = [
82+
{
83+
Effect = "Allow",
84+
Action = [
85+
# VPC
86+
"ec2:CreateVpc",
87+
"ec2:DescribeVpcs",
88+
"ec2:DeleteVpc",
89+
"ec2:CreateSubnet",
90+
"ec2:DescribeSubnets",
91+
"ec2:DeleteSubnet",
92+
"ec2:CreateRouteTable",
93+
"ec2:DescribeRouteTables",
94+
"ec2:AssociateRouteTable",
95+
"ec2:CreateInternetGateway",
96+
"ec2:DescribeInternetGateways",
97+
"ec2:AttachInternetGateway",
98+
"ec2:CreateNatGateway",
99+
"ec2:DescribeNatGateways",
100+
"ec2:AllocateAddress",
101+
"ec2:DescribeAddresses",
102+
"ec2:CreateSecurityGroup",
103+
"ec2:DescribeSecurityGroups",
104+
"ec2:AuthorizeSecurityGroupIngress",
105+
"ec2:AuthorizeSecurityGroupEgress",
106+
"ec2:DeleteSecurityGroup",
107+
"ec2:DeleteRouteTable"
108+
],
109+
Resource = "*"
110+
},
111+
{
112+
Effect = "Allow",
113+
Action = [
114+
# EKS
115+
"eks:CreateCluster",
116+
"eks:DescribeCluster",
117+
"eks:UpdateClusterConfig",
118+
"eks:DeleteCluster",
119+
"eks:ListClusters",
120+
"eks:CreateNodegroup",
121+
"eks:DeleteNodegroup"
122+
],
123+
Resource = "*"
124+
},
125+
{
126+
Effect = "Allow",
127+
Action = [
128+
# IAM for node roles
129+
"iam:PassRole",
130+
"iam:GetRole",
131+
"iam:CreateRole",
132+
"iam:AttachRolePolicy",
133+
"iam:PutRolePolicy"
134+
],
135+
Resource = [
136+
# Node roles your workflow will create
137+
"arn:aws:iam::*:role/*-node-role",
138+
"arn:aws:iam::*:role/*-cluster-role"
139+
]
140+
}
141+
]
142+
})
143+
}

0 commit comments

Comments
 (0)