Skip to content

feat: add AWS OIDC authentication support#7

Merged
jruaux merged 1 commit intomainfrom
feat/aws-oidc-support
Feb 20, 2026
Merged

feat: add AWS OIDC authentication support#7
jruaux merged 1 commit intomainfrom
feat/aws-oidc-support

Conversation

@jruaux
Copy link
Contributor

@jruaux jruaux commented Feb 20, 2026

Summary

Add support for AWS OIDC (OpenID Connect) authentication in reusable workflows. OIDC is the recommended approach as it eliminates the need for long-lived AWS credentials stored as secrets.

Changes

New Composite Action: configure-aws

A reusable action that configures AWS credentials using either:

  • OIDC (recommended): Uses GitHub's OIDC provider to assume an IAM role
  • Static credentials (fallback): Uses access key ID and secret access key

Updated Workflows

build.yml:

  • Added aws-role-arn input for OIDC authentication
  • Added aws-region input
  • Added extra-env input for passing arbitrary environment variables as JSON
  • Added aws-access-key-id and aws-secret-access-key secrets (fallback)
  • Added id-token: write permission for OIDC

release.yml:

  • Added aws-role-arn and aws-region inputs
  • Updated to use configure-aws composite action (removes code duplication)
  • Added id-token: write permission for OIDC

Usage Example

# In your repo's .github/workflows/build.yml
jobs:
  build:
    uses: redis/github-workflows/.github/workflows/build.yml@main
    with:
      aws-role-arn: arn:aws:iam::123456789012:role/GitHubActionsRole
      aws-region: us-west-1
      extra-env: '{"S3_TEST_BUCKET": "my-test-bucket"}'

AWS Setup Required

  1. Create OIDC Identity Provider in AWS IAM:

    • Provider URL: https://token.actions.githubusercontent.com
    • Audience: sts.amazonaws.com

  2. Create IAM Role with trust policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::ACCOUNT:oidc-provider/token.actions.githubusercontent.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
      },
      "StringLike": {
        "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
      }
    }
  }]
}
  1. Attach permissions to the role (e.g., S3 access for integration tests)

Benefits of OIDC

  • No long-lived credentials to rotate or manage
  • Fine-grained access control per repository/branch
  • Temporary credentials (15 min - 1 hour)
  • Audit trail via AWS CloudTrail

@jruaux
feat: add AWS OIDC authentication support
83e9c91 
- Add configure-aws composite action supporting both OIDC and static credentials
- Update build.yml workflow with optional AWS authentication and extra-env input
- Update release.yml to use configure-aws action and support OIDC
- OIDC is the recommended approach (no long-lived credentials)

Usage in build.yml:
  uses: redis/github-workflows/.github/workflows/build.yml@main
  with:
    aws-role-arn: arn:aws:iam::ACCOUNT:role/GitHubActions
    aws-region: us-west-1
    extra-env: '{"S3_TEST_BUCKET": "my-bucket"}'

AWS IAM setup required:
  1. Create OIDC identity provider for token.actions.githubusercontent.com
  2. Create IAM role with trust policy for your repository
  3. Attach required permissions (e.g., S3 access) to the role
@jruaux jruaux merged commit 3491a0b into main Feb 20, 2026
1 check passed
@jruaux jruaux deleted the feat/aws-oidc-support branch February 20, 2026 02:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jruaux