Quick Start

This document shows how to use this Python library to set up an IAM Role for GitHub Actions to perform tasks in your AWS Account in minutes.

1. Setup GitHub Actions OIDC Provider in AWS

The first step is creating a GitHub Action OIDC Provider in your AWS account. This establishes trust between AWS and GitHub, confirming “this request is from a GitHub source I trust.”

I recommend creating only the OIDC Provider initially, without IAM roles. This approach is optimal because you may need multiple IAM roles for different GitHub repositories, all of which can reuse the same OIDC provider.

Below is example code to create the OIDC provider in an AWS account.

example_1_setup_odic_provider.py

# -*- coding: utf-8 -*-

"""
This script creates an OpenID Connect (OIDC) provider for GitHub Actions in AWS.
The OIDC provider enables federated authentication between GitHub Actions workflows
and AWS without storing long-lived credentials.

The script only sets up the OIDC provider connection and does not create any IAM roles.
This approach lets you reuse the same OIDC provider across multiple IAM roles for
different GitHub repositories, improving security and maintainability.
"""

from boto_session_manager import BotoSesManager
from aws_cloudformation.api import remove_stack
from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws

# List your local AWS CLI profiles here, with each profile corresponding to one AWS account
# You can add multiple profiles to set up several AWS accounts in a single batch operation
aws_profile_list = [
    "bmt_app_devops_us_east_1",
    "bmt_app_dev_us_east_1",
    "bmt_app_test_us_east_1",
    "bmt_app_prod_us_east_1",
]
stack_name = "github-action-oidc-provider"


def setup():
    for aws_profile in aws_profile_list:
        deploy_stack_response = setup_github_action_open_id_connection_in_aws(
            aws_profile=aws_profile,
            stack_name=stack_name,
            github_repo_patterns=[],  # We only create OIDC provider, this value is only used for IAM role, so we can set it to empty list.
            role_name="",  # We only create OIDC provider, so no need to create IAM role for GitHub action to assume in AWS IAM.
            tags={
                "tech:project_name": "gh_action_open_id_in_aws",
                "tech:description": "The GitHub Action OIDC provider created in this stack will be reused in many IAM roles. So do not delete it.",
            },
            skip_prompt=True,
            verbose=True,
        )


def teardown():
    for aws_profile in aws_profile_list:
        bsm = BotoSesManager(profile_name=aws_profile)
        remove_stack(
            bsm=bsm,
            stack_name=stack_name,
            skip_prompt=True,
            verbose=True,
        )


setup()
# teardown()

Console Logs

======== 🚀 Deploy stack: github-action-oidc-provider =========
  📋 filter stack in AWS CloudFormation console: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks?filteringText=github-action-oidc-provider&filteringStatus=active&viewNested=true
  🔎 create change set ...
    preview at: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/changesets/changes?stackId=arn:aws:cloudformation:us-east-1:111122223333:stack/github-action-oidc-provider/05f008c0-119d-11f0-bca6-128178eecf29&changeSetId=arn:aws:cloudformation:us-east-1:111122223333:changeSet/github-action-oidc-provider-2025-04-04-21-37-35-450/ea507e91-4c94-4e1b-ac47-5d4ec79c3e27
  wait for change set creation to finish ...
    on 1 th attempt, elapsed 5 seconds, remain 115 seconds ...
    reached status ChangeSetStatusEnum.CREATE_COMPLETE
           >>> Change for stack github-action-oidc-provider <<<
stack id = arn:aws:cloudformation:us-east-1:111122223333:stack/github-action-oidc-provider/05f008c0-119d-11f0-bca6-128178eecf29
change set id = arn:aws:cloudformation:us-east-1:111122223333:changeSet/github-action-oidc-provider-2025-04-04-21-37-35-450/ea507e91-4c94-4e1b-ac47-5d4ec79c3e27
+---------------------------- Change Set Statistics -----------------------------
| 🟢 Add        1 Resource
|
+--------------------------------------------------------------------------------
+----------------------------------- Changes ------------------------------------
| 🟢 📦 Add Resource:        GitHubOIDCProvider    AWS::IAM::OIDCProvider
|
+--------------------------------------------------------------------------------
    need to execute the change set to apply those changes.
  + create new stack ...
    preview at: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/stackinfo?stackId=arn:aws:cloudformation:us-east-1:111122223333:stack/github-action-oidc-provider/05f008c0-119d-11f0-bca6-128178eecf29
  wait for deploy to finish , if failed, wait until rollback (if possible) is finished ...
    on 1 th attempt, elapsed 5 seconds, remain 115 seconds ...
    reached status 🟢 CREATE_COMPLETE
  done

 ...
 ...
 ...

2. Create IAM Role for GitHub Actions

Now you need to create an IAM Role that GitHub Actions can assume to perform operations in your AWS Account.

Below is example code to create the IAM Role for your GitHub Actions.

example_2_setup_iam_role_for_github_repo.py

# -*- coding: utf-8 -*-

"""
This script reuse the OIDC provider created in the first example to create an IAM role
that can be assumed by GitHub Actions workflows in the specified repository.
"""

from boto_session_manager import BotoSesManager
from aws_cloudformation.api import remove_stack
from gh_action_open_id_in_aws.impl import setup_github_action_open_id_connection_in_aws

aws_profile = "bmt_app_devops_us_east_1"
project_name = "gh_action_open_id_in_aws"
project_name_slug = project_name.replace("_", "-")
stack_name = f"{project_name_slug}-test-role"
bsm = BotoSesManager(profile_name=aws_profile)


def setup():
    """
    NOTE: this script only create the IAM Role without any permissions. You need to
    add the permissions yourself.
    """
    deploy_stack_response = setup_github_action_open_id_connection_in_aws(
        aws_profile=aws_profile,
        stack_name=stack_name,
        # This time we reuse the existing OIDC provider in AWS IAM.
        oidc_provider_arn=f"arn:aws:iam::{bsm.aws_account_id}:oidc-provider/token.actions.githubusercontent.com",
        # We allow all branches in the repo to assume the role.
        github_repo_patterns=["repo:MacHu-GWU/gh_action_open_id_in_aws-project:*"],
        role_name=f"{project_name}_test_role",
        tags={
            "tech:project_name": project_name,
        },
        skip_prompt=True,
        verbose=True,
    )


def teardown():
    remove_stack(
        bsm=bsm,
        stack_name=stack_name,
        skip_prompt=True,
        verbose=True,
    )


setup()
# teardown()

Console Logs

========================= 🚀 Deploy stack: gh-action-open-id-in-aws-test-role =========================
  📋 filter stack in AWS CloudFormation console: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks?filteringText=gh-action-open-id-in-aws-test-role&filteringStatus=active&viewNested=true
  🔎 create change set ...
    preview at: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/changesets/changes?stackId=arn:aws:cloudformation:us-east-1:111122223333:stack/gh-action-open-id-in-aws-test-role/a65ebe50-119d-11f0-8dde-0e45891c840f&changeSetId=arn:aws:cloudformation:us-east-1:111122223333:changeSet/gh-action-open-id-in-aws-test-role-2025-04-04-21-42-04-600/f3f406c1-b413-40cf-b4d7-8f8f6fca6579
  wait for change set creation to finish ...
    on 1 th attempt, elapsed 5 seconds, remain 115 seconds ...
    reached status ChangeSetStatusEnum.CREATE_COMPLETE
        >>> Change for stack gh-action-open-id-in-aws-test-role <<<
stack id = arn:aws:cloudformation:us-east-1:111122223333:stack/gh-action-open-id-in-aws-test-role/a65ebe50-119d-11f0-8dde-0e45891c840f
change set id = arn:aws:cloudformation:us-east-1:111122223333:changeSet/gh-action-open-id-in-aws-test-role-2025-04-04-21-42-04-600/f3f406c1-b413-40cf-b4d7-8f8f6fca6579
+---------------------------- Change Set Statistics -----------------------------
| 🟢 Add        1 Resource
|
+--------------------------------------------------------------------------------
+----------------------------------- Changes ------------------------------------
| 🟢 📦 Add Resource:        GitHubActionRole    AWS::IAM::Role
|
+--------------------------------------------------------------------------------
    need to execute the change set to apply those changes.
  + create new stack ...
    preview at: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/stackinfo?stackId=arn:aws:cloudformation:us-east-1:111122223333:stack/gh-action-open-id-in-aws-test-role/a65ebe50-119d-11f0-8dde-0e45891c840f
  wait for deploy to finish , if failed, wait until rollback (if possible) is finished ...
    on 5 th attempt, elapsed 25 seconds, remain 95 seconds ...
    reached status 🟢 CREATE_COMPLETE
  done

Note

The created IAM role won’t have any permission, you need to configure it yourself. Usually, GitHub action is used for CI/CD, you may need the following permissions to perform common CI/CD tasks.:

1. Manage (Create / Update / Delete) IAM Role / Policy

2. Manage (Create / Update / Delete) AWS CloudFormation stack.

3. Manage (Create / Update / Delete) AWS S3 Bucket to read / write deployment artifacts.

4. Manage (Create / Update / Delete) AWS Parameter Store to read and write parameters.

5. Manage (Create / Update / Delete) AWS ECR to push and pull container images and share it to workload AWS accounts.

6. Manage (Create / Update / Delete) AWS EC2 AMI and share it to workload AWS accounts.

7. Manage (Create / Update / Delete) AWS SNS Topic to send notifications.

Tip

The GitHub IAM Role permission should define a common name prefix to identify devops resources from other resources, avoid using "Resource": "*".

3. Test IAM Role in GitHub Actions Workflow Run

Now, let’s test the IAM Role in a real GitHub Action workflow run.

First, we need to prepare a script that uses the default credentials to create a boto3 session and print its own principal.

test_github_action_open_id_in_aws.py

# -*- coding: utf-8 -*-

"""
This script tests the AWS permission in GitHub action without showing the
AWS Account id.
"""

import boto3

# print the current AWS principal ARN (AWS account id masked)
res = boto3.client("sts").get_caller_identity()
parts = res["Arn"].split(":")
parts[4] = parts[4][:2] + "********" + parts[4][-2:]
arn = ":".join(parts)
print(arn)

Then we need to create a GitHub Actions workflow configuration file. This file uses the configure-aws-credentials GitHub action to assume the role you created in example 2.

main.yml

# The ``example_1_setup_github_action_open_id_connection_in_aws.py`` script setup
# GitHub action open id connect for three AWS accounts,
# This GitHub action workflow tests the GitHub action IAM permission
# on those three accounts
name: test_github_action_open_id_in_aws

# Controls when the action will run.
on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

env:
  AWS_REGION: "us-east-1"
permissions:
  id-token: write # This is required for requesting the JWT
  contents: read # This is required for actions/checkout

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  test_github_open_id_for_aws:
    runs-on: ubuntu-latest
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout
      - name: Setup Python
        uses: actions/setup-python@v5 # https://github.com/marketplace/actions/setup-python
        with:
          python-version: "3.11"
      - name: Install dependencies
        run: |
          pip install boto3
      - name: Configure AWS credentials for DEVOPS
        uses: aws-actions/configure-aws-credentials@v4 # https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions
        with:
          # AWS account ID are considered as not-sensitive, but nice to have it as a secret
          role-to-assume: arn:aws:iam::${{ secrets.DEVOPS_AWS_ACCOUNT_ID }}:role/gh_action_open_id_in_aws_test_role
          role-session-name: sample_role_session
          aws-region: ${{ env.AWS_REGION }}
      - name: Test the AWS permission for DEVOPS
        run: |
          python test_github_action_open_id_in_aws.py

Note that we don’t want to expose the AWS Account ID to the public, so we’ve created a GitHub Action secret DEVOPS_AWS_ACCOUNT_ID.

Finally, the GitHub Actions workflow run will look like this: