https://github.com/jareechang/github-oidc-example-granular-permissions
Github OpenID Connect with granular permissions
https://github.com/jareechang/github-oidc-example-granular-permissions
authetication aws aws-s3 githubactions iam iam-role oidc terraform
Last synced: about 1 month ago
JSON representation
Github OpenID Connect with granular permissions
- Host: GitHub
- URL: https://github.com/jareechang/github-oidc-example-granular-permissions
- Owner: Jareechang
- Created: 2021-12-30T07:56:47.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2022-05-14T19:02:34.000Z (almost 3 years ago)
- Last Synced: 2025-03-17T18:14:52.141Z (about 1 month ago)
- Topics: authetication, aws, aws-s3, githubactions, iam, iam-role, oidc, terraform
- Language: HCL
- Homepage:
- Size: 57.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Github OpenID connect with AWS (Granular permissions)
This is an example of Github Actions deployment to AWS with OpenID connect (OIDC) using terraform.
Building on our [example](https://github.com/Jareechang/github-oidc-example). We address a few problems related to permissions where it works for all workflows (pull requests, all branches and forks).
We want more granularity, which is what we are doing here.
## Changes
So, there are a few things we need to change:
- Create Separate the IAM roles (one for pull request, and deployment)
- Update our Subject filter and the condition operators
- Separate github actions workflows (pull request and deployment)
## Separate roles
### Deployment (write only)
### Pull request (read only)
## Full Tutorial
Full article available at [jerrychang.ca - Security harden Github Action deployments to AWS with OIDC](https://www.jerrychang.ca/writing/security-harden-github-actions-deployments-to-aws-with-oidc)