- log in to security tooling AWS account and go to IAM
- select Identity providers
- add an Identity Provider
- choose OpenID Connect
- for the Provider URL enter
token.actions.githubusercontent.com
- press Get thumbprint
- for Audience enter sts.amazonaws.com
- press Add Provider
- select the newly added Identity Provider
- press Assign Role
- select Create a new role
- press Next
- for Audience, choose
sts.amazonaws.com
from the drop-down - press Next: Permissions
- select
domain-protect-deploy
policy - press Next: Tags
- press Next: Review
- name new role
domain-protect-oidc-github
- enter appropriate description
- press Create role
- edit Trust Policy - THIS MUST BE DONE IMMEDIATELY - OTHERWISE ANYONE IN THE WORLD CAN ASSUME THE ROLE
- enter the second statement under
StringEquals
:
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": [
"repo:YOUR_GITHUB_ORG/domain-protect-deploy:environment:dev",
"repo:YOUR_GITHUB_ORG/domain-protect-deploy:environment:prd"
]
}
}
- environment names must match environments set up in Github actions deploy pipeline