.. .. image:: https://readthedocs.org/projects/gh-action-open-id-in-aws/badge/?version=latest
:target: https://gh-action-open-id-in-aws.readthedocs.io/en/latest/
:alt: Documentation Status
.. image:: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/workflows/test_github_action_open_id_in_aws/badge.svg
:target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/actions?query=workflow:test_github_action_open_id_in_aws
.. .. image:: https://codecov.io/gh/MacHu-GWU/gh_action_open_id_in_aws-project/branch/main/graph/badge.svg
:target: https://codecov.io/gh/MacHu-GWU/gh_action_open_id_in_aws-project
.. image:: https://img.shields.io/pypi/v/gh-action-open-id-in-aws.svg
:target: https://pypi.python.org/pypi/gh-action-open-id-in-aws
.. image:: https://img.shields.io/pypi/l/gh-action-open-id-in-aws.svg
:target: https://pypi.python.org/pypi/gh-action-open-id-in-aws
.. image:: https://img.shields.io/pypi/pyversions/gh-action-open-id-in-aws.svg
:target: https://pypi.python.org/pypi/gh-action-open-id-in-aws
.. image:: https://img.shields.io/badge/Release_History!--None.svg?style=social
:target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/blob/main/release-history.rst
.. image:: https://img.shields.io/badge/STAR_Me_on_GitHub!--None.svg?style=social
:target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project
------
.. .. image:: https://img.shields.io/badge/Link-Document-blue.svg
:target: https://gh-action-open-id-in-aws.readthedocs.io/en/latest/
.. .. image:: https://img.shields.io/badge/Link-API-blue.svg
:target: https://gh-action-open-id-in-aws.readthedocs.io/en/latest/py-modindex.html
.. image:: https://img.shields.io/badge/Link-Install-blue.svg
:target: `install`_
.. image:: https://img.shields.io/badge/Link-GitHub-blue.svg
:target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project
.. image:: https://img.shields.io/badge/Link-Submit_Issue-blue.svg
:target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/issues
.. image:: https://img.shields.io/badge/Link-Request_Feature-blue.svg
:target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/issues
.. image:: https://img.shields.io/badge/Link-Download-blue.svg
:target: https://pypi.org/pypi/gh-action-open-id-in-aws#files
Welcome to ``gh_action_open_id_in_aws`` Documentation
==============================================================================
.. image:: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/assets/6800411/b490626c-ef2f-4b86-850b-575dbe18c57e
Overview
------------------------------------------------------------------------------
To use GitHub Actions to deploy applications to AWS, we have to setup the permission properly.
The old school method is to use `Secret Environment Variable <https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions>`_ to store the `AWS IAM User <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html>`_ credentials. You can store `access key abd secret key <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html>`_ to the `AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY <https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html>`_ environment variables. This is also the solution used by CircleCI.
Around Nov 2021, AWS and GitHub made the official Open ID Connection (OIDC) available. It simplifies the process of granting AWS permissions to GitHub Actions. This is the AWS recommended way, and AWS explicitly mentioned that it is `NOT recommended to use long term IAM user credential for CI/CD <https://github.com/aws-actions/configure-aws-credentials#long-term-credentials-warning-10323>`_.
**This Python tool automates the process of setting up the GitHub action open id connection in AWS**.
Reference:
- `Configuring OpenID Connect in Amazon Web Services <https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services>`_: GitHub official doc.
- `Sample IAM OIDC CloudFormation Template <https://github.com/aws-actions/configure-aws-credentials#sample-iam-oidc-cloudformation-template>`_: AWS maintained github action.
How to Use
------------------------------------------------------------------------------
**Setup GitHub OIDC Connect in an AWS account the first time**
To setup GitHub action open id connection in AWS the first time, you can do the following. This code snippet creates an GitHub OIDC Identity Provider and an IAM role to let the Identity Provider to assume using AWS CloudFormation:
.. code-block:: python
from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws
setup_github_action_open_id_connection_in_aws(
aws_profile="your_aws_profile_here",
stack_name="cloudformation-stack-name-here",
github_org="your-github-organization-name",
github_repo="your_github_repo_name",
role_name="the_iam_role_name_to_be_assumed_by_github_actions",
)
Note that the created IAM role won't have any permission, you need to configure it yourself. Usually, GitHub action is used for CI/CD, you may need the following permissions to perform common CI/CD tasks.:
1. Manage (Create / Update / Delete) IAM Role / Policy
2. Manage (Create / Update / Delete) AWS CloudFormation stack.
3. Manage (Create / Update / Delete) AWS S3 Bucket to read / write deployment artifacts.
4. Manage (Create / Update / Delete) AWS Parameter Store to read and write parameters.
5. Manage (Create / Update / Delete) AWS ECR to push and pull container images and share it to workload AWS accounts.
6. Manage (Create / Update / Delete) AWS EC2 AMI and share it to workload AWS accounts.
7. Manage (Create / Update / Delete) AWS SNS Topic to send notifications.
Pro Tips:
The GitHub IAM Role permission should define a common name prefix to identify devops resources from other resources, avoid using ``"Resource": "*"``.
**Setup AWS Permission for Multiple GitHub Repositories**
If you have more Github repo need to access the same AWS accounts, and you want to give them different permission, you can do this. This code snippet reuse the OIDC Provider you created before (make sure you did the previous example before) and create a different IAM role, and configure IAM policy permission for the new GitHub repo:
.. code-block:: python
from boto_session_manager import BotoSesManager
from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws
aws_profile = "your_aws_profile_here"
bsm = BotoSesManager(profile_name=aws_profile)
role_name = "the_new_iam_role_name_to_be_assumed_by_github_actions"
setup_github_action_open_id_connection_in_aws(
aws_profile=aws_profile,
stack_name="cloudformation-stack-name-here",
github_org="your-github-organization-name",
github_repo="another_github_repo_name",
role_name=role_name,
oidc_provider_arn=f"arn:aws:iam::{bsm.aws_account_id}:oidc-provider/token.actions.githubusercontent.com",
)
# let's say you want to give the new GitHub repo admin permission
bsm.iam_client.attach_role_policy(
RoleName=role_name,
PolicyArn="arn:aws:iam::aws:policy/AdministratorAccess",
)
GitHub Actions for Multi-AWS Accounts CI/CD IAM Permission Best Practice
------------------------------------------------------------------------------
If you have multiple GitHub Repositories using GitHub Actions to deploy applications to multiple environments in multiple AWS accounts, here is the best practice:
1. Supposes that you have three workload AWS Accounts ``dev_aws``, ``test_aws``, ``prod_aws``, and a ``devops_aws`` AWS account to store versioned code artifacts. These accounts could be different AWS accounts, either could be the same AWS account isolated by naming convention.
2. Supposes that you have one ``admin_repo`` GitHub repo to setup and test the cross AWS account IAM permission, and have multiple project GitHub repo ``project1_repo``, ``project2_repo``, etc ...
3. Run the following code to setup the GitHub Action OIDC provider in ``devops_aws`` account. It will create an IAM role without any permission. Please keep it as it is, we are not going to use it for any project.
.. code-block:: python
from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws
setup_github_action_open_id_connection_in_aws(
# this AWS principal should have permission to deploy CloudFormation and IAM
aws_profile="aws_profile_for_devops_aws",
stack_name="admin-repo-with-hyphen",
github_org="your-github-org",
github_repo="admin_repo",
role_name="admin_repo_role_name",
)
4. For each project GitHub repo, run the following code to setup the IAM role in ``devops_aws`` AWS account, only for the given GitHub repo. Of course you can use ``${GitHubOrg}/*`` to give all GitHub repos in the same GitHub org the same permission, but this is not recommended. And then, you should configure the IAM role permission manually for the project GitHub repo.
.. code-block:: python
from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws
setup_github_action_open_id_connection_in_aws(
# this AWS principal should have permission to deploy CloudFormation and IAM
aws_profile="aws_profile_for_devops_aws",
stack_name="project1-repo-with-hyphen",
github_org="your-github-org",
github_repo="project1_repo",
role_name="project1_repo_role_name",
)
5. Then refer to the `cross_aws_account_iam_role <https://github.com/MacHu-GWU/cross_aws_account_iam_role-project>`_ Python library to setup the cross AWS account IAM roles for the ``project1_repo_role_name`` in ``devops_aws`` AWS Account.
**Note**:
In general, there are two ways to setup cross AWS account IAM permission in GitHub actions:
1. ONLY setup OIDC provider and IAM role in ``devops_aws`` account, and let the IAM role in ``devops_aws`` account to assume IAM role in ``dev_aws``, ``test_aws``, ``prod_aws`` account. This is the **recommended way**.
2. Setup OIDC provider and IAM role in ``devops_aws``, ``dev_aws``, ``test_aws``, ``prod_aws`` account. And use `aws-actions/configure-aws-credentials <https://github.com/aws-actions/configure-aws-credentials>`_ GitHub Action to switch between them. This is **NOT recommended**, because it introduce more complexity and more IAM permission to manage in workload AWS accounts, which increases the risk.
**Test your Setup**
Below is a sample GitHub Actions workflow file to test your setup. You have to create four GitHub secrets ``DEVOPS_AWS_ACCOUNT_ID``, ``DEV_AWS_ACCOUNT_ID``, ``TEST_AWS_ACCOUNT_ID``, ``PROD_AWS_ACCOUNT_ID``:
.. code-block:: yaml
name: ...
on: ...
env:
AWS_REGION: us-east-1
jobs:
job_id:
runs-on: ubuntu-latest
steps:
..
- name: Configure AWS credentials for DEVOPS
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::${{ secrets.DEVOPS_AWS_ACCOUNT_ID }}:role/devops_aws_iam_role
role-session-name: sample_role_session
aws-region: ${{ env.AWS_REGION }}
- name: Configure AWS credentials for DEV
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/dev_aws_iam_role
role-session-name: sample_role_session
aws-region: ${{ env.AWS_REGION }}
- name: Configure AWS credentials for TEST
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::${{ secrets.TEST_AWS_ACCOUNT_ID }}:role/test_aws_iam_role
role-session-name: sample_role_session
aws-region: ${{ env.AWS_REGION }}
- name: Configure AWS credentials for PROD
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: arn:aws:iam::${{ secrets.PROD_AWS_ACCOUNT_ID }}:role/prod_aws_iam_role
role-session-name: sample_role_session
aws-region: ${{ env.AWS_REGION }}
Developer Guide
------------------------------------------------------------------------------
This section is for developers who want to contribute to this project.
What under the hood is a CloudFormation template. The `gh_action_open_id_in_aws/cf.py <https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/blob/main/gh_action_open_id_in_aws/cf.py>`_ file contains the AWS CDK source code. The `cdk/cdk_synth.py <https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/blob/main/cdk/cdk_synth.py>`_ script can generate the JSON CloudFormation template using AWS CDK. The developer then can copy the output template to the `gh_action_open_id_in_aws/cft-{year}-{month}-{day}.json <https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/tree/main/gh_action_open_id_in_aws>`_ file and do local testing.
.. _install:
Install
------------------------------------------------------------------------------
``gh_action_open_id_in_aws`` is released on PyPI, so all you need is to:
.. code-block:: console
$ pip install gh-action-open-id-in-aws
To upgrade to latest version:
.. code-block:: console
$ pip install --upgrade gh-action-open-id-in-aws
Raw data
{
"_id": null,
"home_page": "https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project",
"name": "gh-action-open-id-in-aws",
"maintainer": "Sanhe Hu",
"docs_url": null,
"requires_python": "",
"maintainer_email": "husanhe@gmail.com",
"keywords": "",
"author": "Sanhe Hu",
"author_email": "husanhe@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/6c/f6/bf258085f369cf231f36801d6e646f9d399ba441a065d02eb02587d7c342/gh_action_open_id_in_aws-0.1.3.tar.gz",
"platform": "Windows",
"description": "\n.. .. image:: https://readthedocs.org/projects/gh-action-open-id-in-aws/badge/?version=latest\n :target: https://gh-action-open-id-in-aws.readthedocs.io/en/latest/\n :alt: Documentation Status\n\n.. image:: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/workflows/test_github_action_open_id_in_aws/badge.svg\n :target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/actions?query=workflow:test_github_action_open_id_in_aws\n\n.. .. image:: https://codecov.io/gh/MacHu-GWU/gh_action_open_id_in_aws-project/branch/main/graph/badge.svg\n :target: https://codecov.io/gh/MacHu-GWU/gh_action_open_id_in_aws-project\n\n.. image:: https://img.shields.io/pypi/v/gh-action-open-id-in-aws.svg\n :target: https://pypi.python.org/pypi/gh-action-open-id-in-aws\n\n.. image:: https://img.shields.io/pypi/l/gh-action-open-id-in-aws.svg\n :target: https://pypi.python.org/pypi/gh-action-open-id-in-aws\n\n.. image:: https://img.shields.io/pypi/pyversions/gh-action-open-id-in-aws.svg\n :target: https://pypi.python.org/pypi/gh-action-open-id-in-aws\n\n.. image:: https://img.shields.io/badge/Release_History!--None.svg?style=social\n :target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/blob/main/release-history.rst\n\n.. image:: https://img.shields.io/badge/STAR_Me_on_GitHub!--None.svg?style=social\n :target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project\n\n------\n\n.. .. image:: https://img.shields.io/badge/Link-Document-blue.svg\n :target: https://gh-action-open-id-in-aws.readthedocs.io/en/latest/\n\n.. .. image:: https://img.shields.io/badge/Link-API-blue.svg\n :target: https://gh-action-open-id-in-aws.readthedocs.io/en/latest/py-modindex.html\n\n.. image:: https://img.shields.io/badge/Link-Install-blue.svg\n :target: `install`_\n\n.. image:: https://img.shields.io/badge/Link-GitHub-blue.svg\n :target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project\n\n.. image:: https://img.shields.io/badge/Link-Submit_Issue-blue.svg\n :target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/issues\n\n.. image:: https://img.shields.io/badge/Link-Request_Feature-blue.svg\n :target: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/issues\n\n.. image:: https://img.shields.io/badge/Link-Download-blue.svg\n :target: https://pypi.org/pypi/gh-action-open-id-in-aws#files\n\n\nWelcome to ``gh_action_open_id_in_aws`` Documentation\n==============================================================================\n.. image:: https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/assets/6800411/b490626c-ef2f-4b86-850b-575dbe18c57e\n\n\nOverview\n------------------------------------------------------------------------------\nTo use GitHub Actions to deploy applications to AWS, we have to setup the permission properly.\n\nThe old school method is to use `Secret Environment Variable <https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions>`_ to store the `AWS IAM User <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html>`_ credentials. You can store `access key abd secret key <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html>`_ to the `AWS_ACCESS_KEY_ID \u548c AWS_SECRET_ACCESS_KEY <https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html>`_ environment variables. This is also the solution used by CircleCI.\n\nAround Nov 2021, AWS and GitHub made the official Open ID Connection (OIDC) available. It simplifies the process of granting AWS permissions to GitHub Actions. This is the AWS recommended way, and AWS explicitly mentioned that it is `NOT recommended to use long term IAM user credential for CI/CD <https://github.com/aws-actions/configure-aws-credentials#long-term-credentials-warning-10323>`_.\n\n**This Python tool automates the process of setting up the GitHub action open id connection in AWS**.\n\nReference:\n\n- `Configuring OpenID Connect in Amazon Web Services <https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services>`_: GitHub official doc.\n- `Sample IAM OIDC CloudFormation Template <https://github.com/aws-actions/configure-aws-credentials#sample-iam-oidc-cloudformation-template>`_: AWS maintained github action.\n\n\nHow to Use\n------------------------------------------------------------------------------\n**Setup GitHub OIDC Connect in an AWS account the first time**\n\nTo setup GitHub action open id connection in AWS the first time, you can do the following. This code snippet creates an GitHub OIDC Identity Provider and an IAM role to let the Identity Provider to assume using AWS CloudFormation:\n\n.. code-block:: python\n\n from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws\n\n setup_github_action_open_id_connection_in_aws(\n aws_profile=\"your_aws_profile_here\",\n stack_name=\"cloudformation-stack-name-here\",\n github_org=\"your-github-organization-name\",\n github_repo=\"your_github_repo_name\",\n role_name=\"the_iam_role_name_to_be_assumed_by_github_actions\",\n )\n\nNote that the created IAM role won't have any permission, you need to configure it yourself. Usually, GitHub action is used for CI/CD, you may need the following permissions to perform common CI/CD tasks.:\n\n1. Manage (Create / Update / Delete) IAM Role / Policy\n2. Manage (Create / Update / Delete) AWS CloudFormation stack.\n3. Manage (Create / Update / Delete) AWS S3 Bucket to read / write deployment artifacts.\n4. Manage (Create / Update / Delete) AWS Parameter Store to read and write parameters.\n5. Manage (Create / Update / Delete) AWS ECR to push and pull container images and share it to workload AWS accounts.\n6. Manage (Create / Update / Delete) AWS EC2 AMI and share it to workload AWS accounts.\n7. Manage (Create / Update / Delete) AWS SNS Topic to send notifications.\n\nPro Tips:\n\n The GitHub IAM Role permission should define a common name prefix to identify devops resources from other resources, avoid using ``\"Resource\": \"*\"``.\n\n**Setup AWS Permission for Multiple GitHub Repositories**\n\nIf you have more Github repo need to access the same AWS accounts, and you want to give them different permission, you can do this. This code snippet reuse the OIDC Provider you created before (make sure you did the previous example before) and create a different IAM role, and configure IAM policy permission for the new GitHub repo:\n\n.. code-block:: python\n\n from boto_session_manager import BotoSesManager\n from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws\n\n aws_profile = \"your_aws_profile_here\"\n bsm = BotoSesManager(profile_name=aws_profile)\n role_name = \"the_new_iam_role_name_to_be_assumed_by_github_actions\"\n\n setup_github_action_open_id_connection_in_aws(\n aws_profile=aws_profile,\n stack_name=\"cloudformation-stack-name-here\",\n github_org=\"your-github-organization-name\",\n github_repo=\"another_github_repo_name\",\n role_name=role_name,\n oidc_provider_arn=f\"arn:aws:iam::{bsm.aws_account_id}:oidc-provider/token.actions.githubusercontent.com\",\n )\n\n # let's say you want to give the new GitHub repo admin permission\n bsm.iam_client.attach_role_policy(\n RoleName=role_name,\n PolicyArn=\"arn:aws:iam::aws:policy/AdministratorAccess\",\n )\n\n\nGitHub Actions for Multi-AWS Accounts CI/CD IAM Permission Best Practice\n------------------------------------------------------------------------------\nIf you have multiple GitHub Repositories using GitHub Actions to deploy applications to multiple environments in multiple AWS accounts, here is the best practice:\n\n1. Supposes that you have three workload AWS Accounts ``dev_aws``, ``test_aws``, ``prod_aws``, and a ``devops_aws`` AWS account to store versioned code artifacts. These accounts could be different AWS accounts, either could be the same AWS account isolated by naming convention.\n2. Supposes that you have one ``admin_repo`` GitHub repo to setup and test the cross AWS account IAM permission, and have multiple project GitHub repo ``project1_repo``, ``project2_repo``, etc ...\n3. Run the following code to setup the GitHub Action OIDC provider in ``devops_aws`` account. It will create an IAM role without any permission. Please keep it as it is, we are not going to use it for any project.\n\n.. code-block:: python\n\n from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws\n\n setup_github_action_open_id_connection_in_aws(\n # this AWS principal should have permission to deploy CloudFormation and IAM\n aws_profile=\"aws_profile_for_devops_aws\",\n stack_name=\"admin-repo-with-hyphen\",\n github_org=\"your-github-org\",\n github_repo=\"admin_repo\",\n role_name=\"admin_repo_role_name\",\n )\n\n4. For each project GitHub repo, run the following code to setup the IAM role in ``devops_aws`` AWS account, only for the given GitHub repo. Of course you can use ``${GitHubOrg}/*`` to give all GitHub repos in the same GitHub org the same permission, but this is not recommended. And then, you should configure the IAM role permission manually for the project GitHub repo.\n\n.. code-block:: python\n\n from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws\n\n setup_github_action_open_id_connection_in_aws(\n # this AWS principal should have permission to deploy CloudFormation and IAM\n aws_profile=\"aws_profile_for_devops_aws\",\n stack_name=\"project1-repo-with-hyphen\",\n github_org=\"your-github-org\",\n github_repo=\"project1_repo\",\n role_name=\"project1_repo_role_name\",\n )\n\n5. Then refer to the `cross_aws_account_iam_role <https://github.com/MacHu-GWU/cross_aws_account_iam_role-project>`_ Python library to setup the cross AWS account IAM roles for the ``project1_repo_role_name`` in ``devops_aws`` AWS Account.\n\n**Note**:\n\nIn general, there are two ways to setup cross AWS account IAM permission in GitHub actions:\n\n1. ONLY setup OIDC provider and IAM role in ``devops_aws`` account, and let the IAM role in ``devops_aws`` account to assume IAM role in ``dev_aws``, ``test_aws``, ``prod_aws`` account. This is the **recommended way**.\n2. Setup OIDC provider and IAM role in ``devops_aws``, ``dev_aws``, ``test_aws``, ``prod_aws`` account. And use `aws-actions/configure-aws-credentials <https://github.com/aws-actions/configure-aws-credentials>`_ GitHub Action to switch between them. This is **NOT recommended**, because it introduce more complexity and more IAM permission to manage in workload AWS accounts, which increases the risk.\n\n**Test your Setup**\n\nBelow is a sample GitHub Actions workflow file to test your setup. You have to create four GitHub secrets ``DEVOPS_AWS_ACCOUNT_ID``, ``DEV_AWS_ACCOUNT_ID``, ``TEST_AWS_ACCOUNT_ID``, ``PROD_AWS_ACCOUNT_ID``:\n\n.. code-block:: yaml\n\n name: ...\n on: ...\n env:\n AWS_REGION: us-east-1\n jobs:\n job_id:\n runs-on: ubuntu-latest\n steps:\n ..\n - name: Configure AWS credentials for DEVOPS\n uses: aws-actions/configure-aws-credentials@v3\n with:\n role-to-assume: arn:aws:iam::${{ secrets.DEVOPS_AWS_ACCOUNT_ID }}:role/devops_aws_iam_role\n role-session-name: sample_role_session\n aws-region: ${{ env.AWS_REGION }}\n - name: Configure AWS credentials for DEV\n uses: aws-actions/configure-aws-credentials@v3\n with:\n role-to-assume: arn:aws:iam::${{ secrets.DEV_AWS_ACCOUNT_ID }}:role/dev_aws_iam_role\n role-session-name: sample_role_session\n aws-region: ${{ env.AWS_REGION }}\n - name: Configure AWS credentials for TEST\n uses: aws-actions/configure-aws-credentials@v3\n with:\n role-to-assume: arn:aws:iam::${{ secrets.TEST_AWS_ACCOUNT_ID }}:role/test_aws_iam_role\n role-session-name: sample_role_session\n aws-region: ${{ env.AWS_REGION }}\n - name: Configure AWS credentials for PROD\n uses: aws-actions/configure-aws-credentials@v3\n with:\n role-to-assume: arn:aws:iam::${{ secrets.PROD_AWS_ACCOUNT_ID }}:role/prod_aws_iam_role\n role-session-name: sample_role_session\n aws-region: ${{ env.AWS_REGION }}\n\n\nDeveloper Guide\n------------------------------------------------------------------------------\nThis section is for developers who want to contribute to this project.\n\nWhat under the hood is a CloudFormation template. The `gh_action_open_id_in_aws/cf.py <https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/blob/main/gh_action_open_id_in_aws/cf.py>`_ file contains the AWS CDK source code. The `cdk/cdk_synth.py <https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/blob/main/cdk/cdk_synth.py>`_ script can generate the JSON CloudFormation template using AWS CDK. The developer then can copy the output template to the `gh_action_open_id_in_aws/cft-{year}-{month}-{day}.json <https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project/tree/main/gh_action_open_id_in_aws>`_ file and do local testing.\n\n\n.. _install:\n\nInstall\n------------------------------------------------------------------------------\n\n``gh_action_open_id_in_aws`` is released on PyPI, so all you need is to:\n\n.. code-block:: console\n\n $ pip install gh-action-open-id-in-aws\n\nTo upgrade to latest version:\n\n.. code-block:: console\n\n $ pip install --upgrade gh-action-open-id-in-aws\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Setup github action open id in AWS made easy.",
"version": "0.1.3",
"project_urls": {
"Download": "https://pypi.python.org/pypi/gh_action_open_id_in_aws/0.1.3#downloads",
"Homepage": "https://github.com/MacHu-GWU/gh_action_open_id_in_aws-project"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "a3b83fb1531ef575db95e29a72b0a736ae32469e1d311cdb78877fe3afd30044",
"md5": "9a6b6b8f27247912263718243eb56ab6",
"sha256": "08dabd92c348f2a0f063b6b8f0c0678b834a5453a5d92be56b6a906b34b468d2"
},
"downloads": -1,
"filename": "gh_action_open_id_in_aws-0.1.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "9a6b6b8f27247912263718243eb56ab6",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 14465,
"upload_time": "2023-12-19T05:17:06",
"upload_time_iso_8601": "2023-12-19T05:17:06.321447Z",
"url": "https://files.pythonhosted.org/packages/a3/b8/3fb1531ef575db95e29a72b0a736ae32469e1d311cdb78877fe3afd30044/gh_action_open_id_in_aws-0.1.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "6cf6bf258085f369cf231f36801d6e646f9d399ba441a065d02eb02587d7c342",
"md5": "221aeafae61dd588d6c74ccb9fe3936a",
"sha256": "ad9f1ffc9535694f09eaa01cc1125511f8d7f77711460a7f57183e75cd299d3d"
},
"downloads": -1,
"filename": "gh_action_open_id_in_aws-0.1.3.tar.gz",
"has_sig": false,
"md5_digest": "221aeafae61dd588d6c74ccb9fe3936a",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 18431,
"upload_time": "2023-12-19T05:17:08",
"upload_time_iso_8601": "2023-12-19T05:17:08.248942Z",
"url": "https://files.pythonhosted.org/packages/6c/f6/bf258085f369cf231f36801d6e646f9d399ba441a065d02eb02587d7c342/gh_action_open_id_in_aws-0.1.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-12-19 05:17:08",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "MacHu-GWU",
"github_project": "gh_action_open_id_in_aws-project",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"requirements": [],
"lcname": "gh-action-open-id-in-aws"
}
JSON
