All technological notes.
Ref:
IAM
https://token.actions.githubusercontent.comsts.amazonaws.com if you are using the official action.GitHubActionRole-*
ACCOUNT_IDUSER_NAME: GitHub userREPO_NAME: Repo name{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:USER_NAME/REPO_NAME:*"
}
}
}
]
}
AmazonVPCFullAccess
Add inline policy for S3 bucket backend
BUCKET: bucket nameKEY_PREFIX: S3 bucket key{
"Version": "2012-10-17",
"Statement": [
/* --- S3: state bucket --- */
{
"Sid": "S3ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::<BUCKET>",
"Condition": {
"StringLike": {
"s3:prefix": ["<KEY_PREFIX>/*", "<KEY_PREFIX>"]
}
}
},
{
"Sid": "S3ObjectRW",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::<BUCKET>/<KEY_PREFIX>/*"
}
]
}
AWS_TF_ROLE_ARN: the arn of OIDC role- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: $
aws-region: $