Skip to content

feat: AWS OIDC auth composite action (issue #27)#41

Open
ms280690 wants to merge 1 commit into
mainfrom
issue-27-oidc-aws
Open

feat: AWS OIDC auth composite action (issue #27)#41
ms280690 wants to merge 1 commit into
mainfrom
issue-27-oidc-aws

Conversation

@ms280690
Copy link
Copy Markdown
Collaborator

@ms280690 ms280690 commented Jun 1, 2026

Summary

  • Adds aws-oidc-auth composite action wrapping aws-actions/configure-aws-credentials@v6.1.3 — no static credentials stored
  • Enforces role-session-name: {repo}-{run_id} so every CloudTrail event is traceable to a specific run
  • Adds docs/oidc-trust-policies.md with IAM trust policy templates, GitHub Environments setup, and migration checklist
  • Adds aws-actions/configure-aws-credentials to approved-actions registry and aws-actions/* to org allowlist

Usage

jobs:
  deploy:
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: sparkgeo/github-actions/.github/actions/aws-oidc-auth@<SHA>
        with:
          role-arn: ${{ vars.AWS_DEPLOY_ROLE_ARN }}
          aws-region: ca-central-1

Notes

  • Cannot be dogfooded in ci.yml — requires a real IAM role and trust policy in an AWS account
  • GCP Workload Identity Federation is out of scope for this PR (AWS-only as agreed)
  • Org-level work (auditing existing secrets, creating IAM roles, configuring environments) is tracked in issue feat: OIDC federation and secret management #27 checklist

Test plan

  • Verify actionlint + zizmor pass (pre-commit hooks ran clean)
  • Consuming repo: create IAM role with trust policy from docs/oidc-trust-policies.md, use action, verify aws sts get-caller-identity succeeds and CloudTrail shows {repo}-{run_id} session name
  • Verify role-session-name override input works when trust policy requires fixed prefix

Closes #27 (composite action + docs deliverable; org-level secret migration is ongoing)

🤖 Generated with Claude Code

@ms280690 @claude
feat: AWS OIDC auth composite action and trust policy docs (issue #27)
98bdb67 
Add aws-oidc-auth composite action wrapping aws-actions/configure-aws-credentials@v6.1.3.
Enforces role-session-name as '{repo}-{run_id}' for CloudTrail traceability.
Calling job requires id-token: write; no static credentials stored.

Add docs/oidc-trust-policies.md with:
- IAM trust policy templates scoped to repo/branch/environment
- GitHub Environments setup for production deployment gating
- Migration checklist for moving from static keys to OIDC

Update approved-actions.md with aws-actions entry and aws-actions/* org allowlist pattern.
Update README with usage example and link to trust policy docs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ms280690 ms280690 requested a review from Copilot June 1, 2026 21:42
@ms280690 ms280690 self-assigned this Jun 1, 2026
Copilot AI reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new aws-oidc-auth composite action that wraps aws-actions/configure-aws-credentials@v6.1.3 to perform short-lived AWS credential exchange via GitHub OIDC, eliminating the need for static AWS keys stored as secrets. Also adds supporting documentation and updates the approved-actions registry. Implements the AWS portion of issue #27 (Pillar 3: Modern Secret Management & Identity Federation); GCP WIF and org-level secret migration are explicitly out of scope.

Changes:

  • New aws-oidc-auth composite action with pinned SHA, required role-arn/aws-region inputs, and an enforced {repo}-{run_id} session name (overridable).
  • New docs/oidc-trust-policies.md covering trust policy templates, scope conditions, environment gating, and a migration checklist.
  • Approved-actions registry and org allowlist updated to include aws-actions/configure-aws-credentials / aws-actions/*; README updated with action table entry and usage example.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
.github/actions/aws-oidc-auth/action.yml New composite action invoking configure-aws-credentials with traceable session name.
docs/oidc-trust-policies.md New doc with trust-policy template, sub-claim scope table, env setup, and migration checklist.
docs/approved-actions.md Registers aws-actions/configure-aws-credentials and adds aws-actions/* to the org allowlist.
README.md Adds the action to the index and a usage example pointing to the new doc.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/oidc-trust-policies.md
Comment on lines +70 to +71
| `repo:sparkgeo/app:ref:refs/heads/*` | Any branch (never use for production roles) |
| `repo:sparkgeo/*` | Any repo in org — avoid |
Comment thread .github/actions/aws-oidc-auth/action.yml
with:
role-to-assume: ${{ inputs.role-arn }}
aws-region: ${{ inputs.aws-region }}
role-session-name: ${{ inputs.role-session-name != '' && inputs.role-session-name || format('{0}-{1}', github.event.repository.name, github.run_id) }}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ms280690 ms280690

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: OIDC federation and secret management

2 participants

@ms280690