将秘密传递给 GitHub Actions

Question

我正在尝试通过 GitHub 操作和 AWS 上的 OIDC 部署 lambda 函数。 当我role-to-assume硬编码为纯字符串时，它是工作文件。 但这对我来说不是一个理想的方法，我想对其进行参数化。 我尝试将 AccountId 作为秘密并尝试将其用作环境变量，但它不起作用。 它给出了一个错误，说Request ARN is invalid

这是我的工作流程

name: AWS deploy CI/CD

on:
  push:
    branches: [ main ]

permissions:
  id-token: write
  contents: read

jobs:
  buildAndDeploy:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [14.x]
        
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: Set up Node
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
      - name: Run lint
        run: npm run lint
      - name: Build dist
        run: npm run build
      - name: Configure AWS Credentials
        env:
          ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::$ACCOUNT_ID:role/github-actions-role
      - name: Deploy to Lambda
        run: npm run deploy

有人可以告诉我我做错了什么吗？

Answer 1

您是否确保您在 AWS 中的 IAM 角色具有与 GitHub 存储库/组织关联的信任策略？

{
    "Version": "2008-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
                "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
            },
            "StringLike": {
                "token.actions.githubusercontent.com:sub": "repo:organization_name/repository_name:*"
            }
        }
    }]
}

Answer 2

以下对我有用。 对于可能遇到相同主题的人，这里是解决方案。 我删除了将秘密分配给 env 变量并在必要时直接分配它们。

name: AWS deploy CI/CD

on:
  push:
    branches: [ main ]

permissions:
  id-token: write
  contents: read

jobs:
  buildAndDeploy:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [14.x]
        
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: Set up Node
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
      - name: Run lint
        run: npm run lint
      - name: Build dist
        run: npm run build
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
      - name: Deploy to Lambda
        run: npm run deploy -- --param="S3_BUCKET=${{ secrets.S3_BUCKET }}"