-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathoidc-cfn.yaml
69 lines (64 loc) · 2.4 KB
/
oidc-cfn.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
AWSTemplateFormatVersion: 2010-09-09
Description: >
Creates and OIDC provider and role for use with GitHub Actions.
For more information on using OIDC to connect to AWS from GitHub Actions,
see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.
You can deploy this stack by the following command:
aws cloudformation deploy --stack-name GHA-ROLE-STACK --template-file oidc-cfn.yaml --capabilities CAPABILITY_IAM
Parameters:
SubjectClaimFilters:
Type: CommaDelimitedList
Default: "repo:tmokmss/bedrock-review-test:*"
Description: >
Subject claim filter for valid tokens.
See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims
for examples of fitlering by branch or deployment environment.
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "GitHub Action Info"
Parameters:
- SubjectClaimFilters
Resources:
GitHubIdentityProvider:
Type: AWS::IAM::OIDCProvider
Properties:
Url: https://token.actions.githubusercontent.com
ThumbprintList:
- "1234567890123456789012345678901234567890"
ClientIdList:
- sts.amazonaws.com
GitHubActionsServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: RoleForGitHubActions
Effect: Allow
Principal:
Federated: !GetAtt GitHubIdentityProvider.Arn
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"token.actions.githubusercontent.com:aud": sts.amazonaws.com
StringLike:
"token.actions.githubusercontent.com:sub": !Ref SubjectClaimFilters
Description: Service Role for use in GitHub Actions
ServiceRolePolicy:
Type: 'AWS::IAM::RolePolicy'
Properties:
PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: 'bedrock:InvokeModel'
Resource: '*'
RoleName: !Ref GitHubActionsServiceRole
Outputs:
ServiceRoleARN:
Description: arn of service role for use in GitHub actions
Value: !GetAtt GitHubActionsServiceRole.Arn