概要
- GitHub ActionsでAWS ACEESKEYをGitHub側(GitHubSecrets)に保存したくない
- OpenID Connect経由の各種Cloud Providerの認証がとれる
- 認証をパスする事が目的なのでポリシーなど細かい要素は後回しにしてシンプルにトライ
- とりあえず習うより慣れろで
前提
- OpenID Connect Provider認証の仕組みについて理解している
- IAMのAssumeRoleの仕組みについて理解している
- GitHubSecretsの利便性とリスクについて理解している
詳細
OpenIDプロバイダを作成
-
プロバイダのタイプ: OpenID Connect
-
プロバイダの URL: https://token.actions.githubusercontent.com
-
対象者: sts.amazonaws.com
-
AWSのIAMからIDプロバイダを作成する
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2F4c1535a7-0d20-d6e3-279b-daf64ac7f29d.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=36fa1a4aba35aae9ac03a908cacb9c87)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fbe96778e-3080-817f-6a15-033810421864.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=ab1299f342d6a711b3d317914cea165d)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fe0997541-d85e-0d7d-592c-ede92bd102d2.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=415692e43adf8a7974dd0eaf9be10ce5)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fcb11173f-1074-5db7-8824-04591e3126c0.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=8162a738cd135e39c375af7f01860e64)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2F071655bf-31e1-efe6-7f0e-0d37cc3fc21b.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=62a33d4cad300ec2bcab42e12161d5de)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2F42137a0b-2f7c-2ca5-ae32-784dbd61101a.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=fc39e796b8248c2abf00ed64cbdbaf68)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2F2b71d079-1d74-09d7-3ebf-e8d84fbc73dd.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=ca65f6d4cc0cbfa480ef0e1bc5c860e1)
ロールの割当
- "ロールの割当"→"新しいロールを作成"
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2F34a1214e-138b-9824-ce88-620bc917a227.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=149b435eb1490f19347b684f8e4f2da6)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fe633fefb-1ffc-c742-89c7-6fe370e77570.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=bd08c5304bcb81e4456cdfcf22605757)
テスト用ロールの作成
- ウェブアイデンティティで作成
- Audienceは"sts.amazonaws.com "
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2F0ecf995d-83af-a0fa-afbd-0d974b6ad1cd.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=cbde828b2bf214a08f86cca83ba48b73)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fc45c0dcd-6506-3e99-164a-73d7aa41d65a.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=9886d98e380dc129c5941324fb1500ed)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fae8e2190-15d0-1408-ec08-8bcda79b86ae.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=4b50f291f83615a3129f5713730dd37a)
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2F1386b199-6e15-4c8c-ea61-11855337bd13.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=5bb2313051f0f7d8325b427b0a336fe0)
GitHub側準備
- テスト用リポジトリを用意する
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fd32968e1-4d77-17ea-9373-5362dbfa1889.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=5fe5e00da8a7e008652c1328f6f8abd9)
- workflowのフォルダとファイルを作成
$ git clone https://github.com/menergia/test-oidc
$ mkdir -p test-oidc/.github/workflows
$ echo "### oidc test workflow ###" > test-oidc/.github/workflows/test-oidc-ci.yml
$ cd test-oidc
$ git add .
$ git commit -m "add blank workflow"
$ git push origin main
GitHubActions用workflowファイルを作成
- アカウントIDをメモ・控えておく
- test-oidc-ci.ymlを編集
- GitHub公式ドキュメントのworkflowサンプルを参考
- permissions: id-token: write
test-oidc-ci.yml
### oidc test workflow ###
name: OIDC test
on:
push:
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Set up environment
run: |
export AWS_ROLE_ARN=arn:aws:iam::39********81:role/Role-GithubActions-OpenIDConnect-Test
export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/aws-credential
export AWS_DEFAULT_REGION=ap-northeast-1
echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV
curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
- run: aws sts get-caller-identity
- commit/push後actionsタブを確認
- CI上でOpenIDConnectが成功している
![](https://qiita-user-contents.imgix.net/https%3A%2F%2Fqiita-image-store.s3.ap-northeast-1.amazonaws.com%2F0%2F57350%2Fa2e39e9d-0ff4-9e25-8b01-c8260a581ce6.png?ixlib=rb-4.0.0&auto=format&gif-q=60&q=75&s=836a5e52e1ac729d9b008b5877aab9b3)
残課題
- このあとは必要なポリシー・ロールを正しく設定してトライして見る