{"id":37400060,"url":"https://github.com/hops-ops/aws-actions-connector","last_synced_at":"2026-02-25T03:06:44.969Z","repository":{"id":332218131,"uuid":"1129368193","full_name":"hops-ops/aws-actions-connector","owner":"hops-ops","description":"GithubActionsOIDCConnector - creates OIDC provider and role to use from github actions for connecting to AWS","archived":false,"fork":false,"pushed_at":"2026-02-19T20:29:50.000Z","size":44,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-19T22:31:29.222Z","etag":null,"topics":["aws","aws-iam","aws-oidc","crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","github","xrd"],"latest_commit_sha":null,"homepage":"","language":"KCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hops-ops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-07T01:58:56.000Z","updated_at":"2026-02-19T19:53:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hops-ops/aws-actions-connector","commit_stats":null,"previous_names":["hops-ops/aws-actions-connector"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/hops-ops/aws-actions-connector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-actions-connector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-actions-connector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-actions-connector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-actions-connector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hops-ops","download_url":"https://codeload.github.com/hops-ops/aws-actions-connector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-actions-connector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29809155,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-24T22:43:48.403Z","status":"online","status_checked_at":"2026-02-25T02:00:07.329Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-iam","aws-oidc","crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","github","xrd"],"created_at":"2026-01-16T05:42:14.060Z","updated_at":"2026-02-25T03:06:44.933Z","avatar_url":"https://github.com/hops-ops.png","language":"KCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aws-actions-connector\n\nSets up GitHub Actions OIDC federation with AWS for secure CI/CD access without long-lived credentials.\n\n## What It Creates\n\n- **OIDC Provider** - Registers `token.actions.githubusercontent.com` as an identity provider in AWS\n- **IAM Role** - Creates a role with a trust policy scoped to your GitHub org/repo/ref\n- **Policy Attachment** - Attaches your chosen IAM policy to the role\n\n## Quick Start\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: ActionsConnector\nmetadata:\n  name: my-org-gha\n  namespace: default\nspec:\n  accountId: \"123456789012\"\n  github:\n    owner: my-org\n```\n\nThis creates an OIDC provider and role (`hops-github-actions`) that any repo in `my-org` can assume, with `AdministratorAccess` policy attached.\n\n## Configuration\n\n### Required Fields\n\n| Field | Description |\n|-------|-------------|\n| `spec.accountId` | AWS Account ID |\n| `spec.github.owner` | GitHub organization or username |\n\n### Optional Fields\n\n| Field | Default | Description |\n|-------|---------|-------------|\n| `spec.github.repository` | `\"*\"` | Repository name or `\"*\"` for all repos |\n| `spec.github.refPattern` | `\"*\"` | Git ref pattern: `\"*\"`, `\"ref:refs/heads/main\"`, `\"environment:production\"` |\n| `spec.role.name` | `\"hops-github-actions\"` | IAM role name |\n| `spec.role.permissionsBoundary` | - | ARN of permissions boundary to attach |\n| `spec.policy.arn` | `AdministratorAccess` | IAM policy ARN to attach |\n| `spec.providerConfigRef.name` | `\"default\"` | AWS ProviderConfig name |\n| `spec.tags` | `{\"hops\": \"true\"}` | Additional AWS resource tags |\n\n## Common Use Cases\n\n### Organization-Wide Access\n\nAllow any repo in your org to assume the role:\n\n```yaml\nspec:\n  accountId: \"123456789012\"\n  github:\n    owner: my-org\n    repository: \"*\"\n    refPattern: \"*\"\n```\n\n### Single Repository\n\nRestrict to a specific repo and branch:\n\n```yaml\nspec:\n  accountId: \"123456789012\"\n  github:\n    owner: my-org\n    repository: my-app\n    refPattern: \"ref:refs/heads/main\"\n  role:\n    name: my-app-deploy\n  policy:\n    arn: arn:aws:iam::123456789012:policy/my-app-deploy-policy\n```\n\n### Environment-Based Deployment\n\nUse GitHub Environments for approval workflows:\n\n```yaml\nspec:\n  accountId: \"123456789012\"\n  github:\n    owner: my-org\n    repository: infrastructure\n    refPattern: \"environment:production\"\n  role:\n    name: github-actions-prod-deploy\n  policy:\n    arn: arn:aws:iam::aws:policy/PowerUserAccess\n```\n\n## Using in GitHub Actions\n\nOnce deployed, configure your workflow to assume the role:\n\n```yaml\nname: Deploy\n\non:\n  push:\n    branches: [main]\n\npermissions:\n  id-token: write\n  contents: read\n\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: aws-actions/configure-aws-credentials@v4\n        with:\n          role-to-assume: arn:aws:iam::123456789012:role/hops-github-actions\n          aws-region: us-east-1\n\n      - name: Deploy\n        run: |\n          aws sts get-caller-identity\n          # Your deployment commands here\n```\n\n## Importing Existing Resources\n\nIf you already have an OIDC provider and role, import them:\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: ActionsConnector\nmetadata:\n  name: imported-gha\nspec:\n  accountId: \"123456789012\"\n  # Exclude Delete to prevent accidental deletion\n  managementPolicies: [Create, Update, Observe, LateInitialize]\n  github:\n    owner: my-org\n  oidcProvider:\n    externalName: arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com\n  role:\n    name: existing-gha-role\n    externalName: existing-gha-role\n  policy:\n    arn: arn:aws:iam::aws:policy/AdministratorAccess\n  policyAttachment:\n    externalName: existing-gha-role/arn:aws:iam::aws:policy/AdministratorAccess\n```\n\n## Status\n\nOnce deployed, the status shows the created resources:\n\n```yaml\nstatus:\n  ready: true\n  oidcProvider:\n    arn: arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com\n    url: https://token.actions.githubusercontent.com\n  role:\n    arn: arn:aws:iam::123456789012:role/hops-github-actions\n    name: hops-github-actions\n  trustPolicy:\n    subject: \"repo:my-org/*:*\"\n```\n\n## Security Considerations\n\n- **Scope access tightly** - Use specific repos and ref patterns rather than wildcards when possible\n- **Use permissions boundaries** - Apply `spec.role.permissionsBoundary` to limit maximum permissions\n- **Prefer least privilege** - Attach a custom policy with only required permissions instead of `AdministratorAccess`\n- **Use GitHub Environments** - For production deployments, use `environment:production` pattern with required reviewers\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Faws-actions-connector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhops-ops%2Faws-actions-connector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Faws-actions-connector/lists"}