Passing secrets to GitHub Actions

Question

I am trying to deploy a lambda function through GitHub actions and OIDC on AWS. It was working file when I hardcoded role-to-assume as a plain string. But this is not a ideal approach for me and I would like to parameterize it. I tried giving the AccountId as a secret and tried using it as a environment variable but it does not work. It gives a error saying Request ARN is invalid

Here is my workflow

name: AWS deploy CI/CD

on:
  push:
    branches: [ main ]

permissions:
  id-token: write
  contents: read

jobs:
  buildAndDeploy:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [14.x]
        
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: Set up Node
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
      - name: Run lint
        run: npm run lint
      - name: Build dist
        run: npm run build
      - name: Configure AWS Credentials
        env:
          ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::$ACCOUNT_ID:role/github-actions-role
      - name: Deploy to Lambda
        run: npm run deploy

Can someone tell me what I am doing wrong?

Answer 1

Have you made sure that your IAM role in AWS has a trust policy associated with the GitHub repo/organization?

{
    "Version": "2008-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
            },
            "StringLike": {
                "token.actions.githubusercontent.com:sub": "repo:organization_name/repository_name:*"
            }
        }
    }]
}

Answer 2

The following worked for me. For the ones who might run into the same topic, here is the solution. I removed assigning of the secrets to env variables and directly assigned them where necessary.

name: AWS deploy CI/CD

on:
  push:
    branches: [ main ]

permissions:
  id-token: write
  contents: read

jobs:
  buildAndDeploy:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [14.x]
        
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: Set up Node
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
      - name: Run lint
        run: npm run lint
      - name: Build dist
        run: npm run build
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
      - name: Deploy to Lambda
        run: npm run deploy -- --param="S3_BUCKET=${{ secrets.S3_BUCKET }}"