This GitHub Action allows you to use your GitHub OIDC identity to make AWS SigV4 signed requests to API Gateway with IAM authentication.
- Publish workflow metrics, such as workflow/step duration, pass/fail, unit-test coverage, etc., from within your GitHub Actions workflows.
- Send data to a backend service protected by IAM authorization by calling the appropriate API Gateway endpoint with a
POSTorPUTrequest. - Retrieve data from a backend service protected by IAM authorization by calling the appropriate API Gateway endpoint.
- Proxy data directly to an AWS service like SQS, SNS, or Kinesis with an endpoint method
AWS Serviceintegration type.
In general, this action can be used to access any application that is fronted by AWS API Gateway and protected by IAM authorization.
- GitHub OIDC provider configured within AWS - example CloudFormation
- AWS IAM role with trust policy - example CloudFormation
- AWS API Gateway endpoint with IAM authentication - example CloudFormation
- If this is the first time setting up an API Gateway with logging, you may also need to create an IAM role to grant API Gateway the permission to write to CloudWatch Logs
- uses: jveldboom/action-aws-apigw-oidc-request@v1
with:
# AWS IAM role arn to assume via OIDC
# [Learn more about Github OIDC with AWS](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services)
aws-role-to-assume: ''
# AWS region name (eg: us-east-2, us-west-2)
# Note: the region must be the set to the region your API Gateway is hosted
aws-region: ''
# API Gateway URL
url: ''
# Request method (eg GET, POST, PUT)
# Default: GET
method: ''
# Request headers in multi-line key: value format
# headers: |
# content-type: application/json
# cache-control: max-age=0
headers: ''
# Request body payload in JSON string format
# Example: '{"foo": "bar"}'
payload: ''
# Max number of request retries
# Default: 0
max-retries: ''status-coderesponse status codeheadersresponse headersbodyresponse body
name: API Gateway Request
on: [ push ]
jobs:
api-request:
runs-on: ubuntu-latest
permissions:
id-token: write # required for OIDC
contents: read
steps:
- uses: actions/checkout@v3
- name: Call API Gateway
id: call-api
uses: jveldboom/action-aws-apigw-oidc-request@v1
with:
aws-role-to-assume: arn:aws:iam::123456789012:role/example-oidc-role
aws-region: us-east-2
url: http://example.com/auth/iam
method: POST
payload: '{"foo": "bar"}'
max-retries: 3
- name: Print response
run: |
echo "Status code: ${{ steps.api-request.outputs.status-code }}"
echo "Headers: ${{ steps.api-request.outputs.headers }}"
echo "Body: ${{ steps.api-request.outputs.body }}"- deploy example infrastructure on pushes to main
This action is licensed under the MIT License. See the LICENSE file for more information.