[英]Passing secrets to GitHub Actions
我正在尝试通过 GitHub 操作和 AWS 上的 OIDC 部署 lambda 函数。 当我role-to-assume
硬编码为纯字符串时,它是工作文件。 但这对我来说不是一个理想的方法,我想对其进行参数化。 我尝试将 AccountId 作为秘密并尝试将其用作环境变量,但它不起作用。 它给出了一个错误,说Request ARN is invalid
这是我的工作流程
name: AWS deploy CI/CD
on:
push:
branches: [ main ]
permissions:
id-token: write
contents: read
jobs:
buildAndDeploy:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x]
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Set up Node
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- name: Run lint
run: npm run lint
- name: Build dist
run: npm run build
- name: Configure AWS Credentials
env:
ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume: arn:aws:iam::$ACCOUNT_ID:role/github-actions-role
- name: Deploy to Lambda
run: npm run deploy
有人可以告诉我我做错了什么吗?
您是否确保您在 AWS 中的 IAM 角色具有与 GitHub 存储库/组织关联的信任策略?
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:organization_name/repository_name:*"
}
}
}]
}
以下对我有用。 对于可能遇到相同主题的人,这里是解决方案。 我删除了将秘密分配给 env 变量并在必要时直接分配它们。
name: AWS deploy CI/CD
on:
push:
branches: [ main ]
permissions:
id-token: write
contents: read
jobs:
buildAndDeploy:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x]
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Set up Node
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- run: npm ci
- name: Run lint
run: npm run lint
- name: Build dist
run: npm run build
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
- name: Deploy to Lambda
run: npm run deploy -- --param="S3_BUCKET=${{ secrets.S3_BUCKET }}"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.