Terraform deploying IAM roles to AWS, and Github Actions accessing AWS securely

[DevOps] - Secure AWS Connection in Github Actions

By rafaeldomi | Everything One Technology | 25 Aug 2023

Level: Intermediate | Techs: AWS, GitHub, Terraform

As more organizations embrace cloud-native development, secure and efficient CI/CD pipelines have become paramount. In this article, we'll dive into how you can establish a secure connection to AWS without relying on access keys that could potentially be compromised. We'll leverage Terraform to create and deploy ECR, set up the necessary OIDC provider, and create IAM role, always taking in account the concept of Least Privilege.

Why Secure AWS Authentication Matters

AWS credentials are the keys to your cloud kingdom, and securing them is paramount. Traditionally, developers have relied on sharing access keys in GitHub Actions, which can pose significant security risks if not managed properly. With our new Terraform module, we aim to provide a more secure and convenient approach to AWS authentication by using Assume Role.

Fast Deploy: Terraform Module

The terraform module "[GithubActions] Auth to AWS securely" sets up the necessary AWS resources to enable secure authentication using Assume Role in GitHub Actions. It creates an OIDC Provider for GitHub Actions consumption, sets up a Role to be assumed, and configures granular permissions for the Role.

You can find the module at: https://github.com/rafaeldomi/tf-mod-ghact-ecr. You'll find the module itself and an example of usage.

Key Features

  1. Enhanced Security: By using Assume Role, you no longer need to share access keys. This approach reduces the risk of accidental exposure and strengthens the security of your AWS infrastructure.

  2. Easy Integration: The module seamlessly integrates with GitHub Actions, enabling you to use AWS resources securely without any complex setup. Also is very simple to add to your already coded (possible deployed) terraform project.

  3. Flexible Configuration: You can easily customize the module to fit your specific requirements. Set up the allowed repositories that can assume the Role. If there is something missing I strongly encourage you to help in this project or open a issue in the github.

How To

Getting started with the Terraform module is a breeze. You only need to call the module and define a few parameters. Let's look at a quick example:

module "auth-ecr-github" {
  # Point to the module source in GitHub
  # Always check for the latest version
  source = "github.com/rafaeldomi/tf-mod-ghact-ecr?ref=v01/modules/auth-ecr-github"

  role_name = "github-actions-role"

  # Here you define the repo that is allowed to be assumed. Format is described below
  allow_repo = [
    "repo:{org/owner}/{repo-name}:*"
  ]
}

# This value will be used in the GitHub Action
output "role_arn" {
  value = module.auth-ecr-github.role_arn
}

 

Github Actions

To leverage the benefits of the module, you'll need to configure the GitHub Actions workflow YAML (.github/workflows/main.yml) file. Here's an example:

name: Pipeline

on:
  push:
    branches: [ main ]

permissions:
  id-token: write
  contents: write

jobs:
  build:
    name: Build Image
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v3

    # >> This is the step that connect and auth to AWS <<
    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: { RoleARN }
        aws-region: { AWSRegion }

    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v1

 

Conclusion

Securing AWS credentials in GitHub Actions (not only in GHA, everywhere) is essential for protecting your cloud resources and preventing unauthorized access. The terraform module simplifies the process of setting up secure AWS authentication, making it easier for developers to adopt best security practices.

Try out our Terraform module and let me know how it works for you! Happy Terraforming!

Thank you for joining us on this adventure, and we look forward to seeing you on the next page.

- Blogpost created without using AI tools -

Find out more in:

** Hey, if you liked this content and would like to see more about it, encourage me by giving a tip below. It's fast and has no cost. **

Resources

  1. https://github.com/rafaeldomi/tf-mod-ghact-ecr
github DevOps CI/CD ecr terraform

How do you rate this article?

3
rafaeldomi
rafaeldomi

Everything One Technology
Everything One Technology

Here in Everything One technology you will find information about Clouds, kubernetes, database (mostly postgres) and more. Save us and keep reading. Thank You, and see you in the next page.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
How Often Do People Reuse Passwords: Are You at Risk? How Often Do People Reuse Passwords: Are You at Risk?
Crypto Safety First

Crypto Safety First

6 hours ago
1 minute read

If you have zero sats today, this is what I will ask you to do If you have zero sats today, this is what I will ask you to do
cryotosensei

cryotosensei

10 hours ago
1 minute read

How can I take back my BCH from the SmartBCH! How can I take back my BCH from the SmartBCH!
The Lebanese Girl

The Lebanese Girl

6 hours ago
1 minute read