impl

This module automates the setup of GitHub Actions OpenID Connect (OIDC) integration with AWS. It creates the necessary AWS resources to enable secure authentication between GitHub Actions workflows and AWS services without storing long-term credentials.

gh_action_open_id_in_aws.impl.setup_github_action_open_id_connection_in_aws(aws_profile: str, stack_name: str, github_repo_patterns: list[str], role_name: str = '', oidc_provider_arn: str = '', oidc_audience: str = 'sts.amazonaws.com', tags: Dict[str, str] | None = None, skip_prompt: bool = True, verbose: bool = True) DeployStackResponse[source]

The OpenID Connect (OIDC) identity provider that allows the GitHub Actions to assume the role in the target account.

Parameters:

  • aws_profile – AWS profile name to use for deployment. This profile should have sufficient permissions to create IAM roles and OIDC providers.

  • stack_name – Name for the CloudFormation stack that will be created.

  • github_repo_patterns – List of GitHub repository patterns to allow access. Each pattern should be in the format: repo:${github_org}/${github_repo_name}:* or repo:${github_org}/${github_repo_name_prefix}*:* Example: ["repo:MyOrg/my-repo:*", "repo:MyOrg/prefix*:*", "repo:MyOrg/another-repo:ref:refs/heads/main"]

  • role_name – Name of the IAM role to be created and assumed by GitHub Actions. If empty, the stack will only create the OIDC provider without an IAM role.

  • oidc_provider_arn – ARN of an existing GitHub OIDC provider in your AWS account. If provided, the function will reuse this provider instead of creating a new one. If empty, a new OIDC provider will be created. Format: “arn:aws:iam::{aws_account_id}:oidc-provider/token.actions.githubusercontent.com”

  • oidc_audience – Audience value for the OIDC provider, typically “sts.amazonaws.com”.

  • tags – Optional dictionary of tags to apply to AWS resources created by the stack.

  • skip_prompt – default False; if False, you have to enter “Yes” in prompt to do deployment; if True, then execute the deployment directly.

  • verbose – whether you want to log information to console

Notes:

  • The IAM role created will not have any permissions by default. You need to attach appropriate policies after creation.

  • When reusing an existing OIDC provider (oidc_provider_arn is provided) and not creating a role (role_name is empty), no deployment will happen.

  • The stack adds standard technical tags to all resources for tracking purposes.

Returns:

DeployStackResponse Object containing information about the deployment result.