Back
aws-role-github

aws-role-github

1. Introduction

In modern cloud infrastructure, managing access securely and efficiently is crucial. In this case, we’re going to talk about AWS cloud provider. AWS Identity and Access Management (IAM) Roles provide a powerful way to control and delegate access to AWS resources without needing to expose sensitive credentials. This repository showcases how to create and manage AWS IAM Roles in real-world scenarios, specifically focusing on practical use cases, such as integrating with GitHub Actions self-hosted runners. The goal of this repository is to demonstrate best practices for creating IAM Roles, assigning appropriate permissions, and configuring trust policies to ensure secure and scalable access to AWS resources. Whether you are setting up CI/CD pipelines, automating workflows, or managing infrastructure, this guide will walk you through the entire process, making it easier to implement roles effectively. By following the examples in this repository, you will learn how to: • Create an AWS Identity Provider with Github • Create an IAM role tailored for your specific needs • Assign least-privileged permissions to ensure security • Integrate IAM roles seamlessly with GitHub Actions for automated workflows This guide is designed for cloud engineers, DevOps practitioners, or anyone looking to improve their understanding of AWS IAM roles in real-world applications.

2.Pre-Requisites

List all the tools, accounts, or permissions needed to follow along with this example:
  • AWS Account
  • IAM Permissions to create roles and assign policies
  • IAM Permissions to create identity providers
  • GitHub Repository

3.Understanding AWS Identity Provider

AWS Identity Provider enables you to authenticate users from an external identity system, like GitHub, Microsoft Active Directory, Google, or other OpenID Connect (OIDC) providers, and grant them temporary access to AWS resources. This allows seamless integration of your existing identity management systems with AWS, without needing to create and manage IAM users for every external entity.

4.Step by step guide

In order to create the role using AWS best practices, you can follow both methods provided below

4.1 Manually

4.1.1 Create an AWS Identity provider

  • Navigate to IAM
  • Choose Identity providers and click on Add provider
  • Select OpenID
  • Put this provider URL: https://token.actions.githubusercontent.com
  • Put this Audience: sts.amazonaws.com
  • Click Add provider

4.1.2 Create an IAM policy

  • Navigate to IAM
  • Choose Policies and click on Create policy
  • Create a policy depending on your needs. Add the services that you want to use and the required access for each one, ensuring the use of the principle of least privilege

4.1.3 Create an IAM role

• Navigate to IAM • Choose Roles and click on Create role • Select Web Identity • Click on Choose a provider and select token.actions.githubusercontent.com • Click on Audience section and fill it with sts.amazonaws.com • Click on Github organization section and fill it with the name of your organization • Click on Github repository and the name of the repository that’s going to use this role and click Next • Choose the policy created in the section Create IAM Policy and click Next • Put the role name

4.2 Using Terraform

In this section, I will show you how to create the same component using Terraform

4.2.1 Create an AWS Identity provider

• In only this section, we’re going to create the AWS Identity provider manually. Why? Because we can use the same components to create multiple roles rather than creating an AWS Identity provider per environment • Follow the same steps provided in the section Create AWS Identity Provider Note: If you want to provision the AWS Identity provider using Terraform, follow this link: iam-github-oidc-provider

4.2.2 Provision the AWS

• In this section, we’re going to provision the AWS IAM role using Terraform. To ensure simplicity, no CI/CD tools like Github Actions, Terraform backend, or workspaces will be configured Don’t worry, I will cover it in another repo 😉 • Clone the project on your local machine • Configure the code depending on your needs • This project contains a policy for demonstration purposes. You need to modify it according to your needs • Go to the policies.tf file and modify the policy in the block starting with: data “aws_iam_policy_document” “role_policy” { Note: Don’t forget to save your file • Provision the AWS role bash terraform init terraform apply -auto-approve
jawher@

You may also like

aws-wildcard-certificate
aws-wildcard-certificate
21 octobre, 2024

Leave A Reply

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *