Merge pull request #58 from oslokommune/github-actions-oidc

simenheg · web-flow · commit 9e0d9ffccfb9 · 2025-09-29T14:27:51.000+02:00
Do GitHub auth with OIDC instead of IAM access key
diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml
@@ -4,11 +4,13 @@ on:
   workflow_dispatch:
   workflow_call:
     secrets:
-      AWS_ACCESS_KEY_DEV:
-        required: true
-      AWS_SECRET_ACCESS_KEY_DEV:
+      AWS_ACCOUNT_DEV:
         required: true
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   push:
     name: Build, push image
@@ -21,12 +23,14 @@ jobs:
         uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 # v1.6.1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_DEV }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_DEV }}:role/github-deploy
           aws-region: eu-west-1
 
+      - name: Sts GetCallerIdentity
+        run: aws sts get-caller-identity
+
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2 # v1.3.3
diff --git a/.github/workflows/deploy_prod.yml b/.github/workflows/deploy_prod.yml
@@ -4,11 +4,13 @@ on:
   workflow_dispatch:
   workflow_call:
     secrets:
-      AWS_ACCESS_KEY_PROD:
-        required: true
-      AWS_SECRET_ACCESS_KEY_PROD:
+      AWS_ACCOUNT_PROD:
         required: true
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   push:
     name: Build, push image
@@ -21,12 +23,14 @@ jobs:
         uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # v1.6.0
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@05b148adc31e091bafbaf404f745055d4d3bc9d2 # v1.6.1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_PROD }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_PROD }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_PROD }}:role/github-deploy
           aws-region: eu-west-1
 
+      - name: Sts GetCallerIdentity
+        run: aws sts get-caller-identity
+
       - name: Login to Amazon ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@aaf69d68aa3fb14c1d5a6be9ac61fe15b48453a2 # v1.3.3
