Raghav's Blog

Secure Your AWS Access: Using OIDC Instead of Storing Credentials in GitHub

In today's cloud-driven world, security is paramount. One common pitfall that developers and organizations encounter is the improper handling of AWS credentials, such as storing them in version control systems like GitHub. This practice can lead to significant security vulnerabilities. In this blog post, we'll discuss why storing AWS credentials in GitHub is a bad idea and how you can leverage OpenID Connect (OIDC) roles to securely access your AWS resources.

The Risks of Storing AWS Credentials in GitHub

Storing AWS credentials in GitHub, even in private repositories, exposes you to several risks:

  • Unauthorized Access: If your repository is compromised, anyone with access can use your AWS credentials to access your resources, potentially causing data breaches or unauthorized modifications.
  • Accidental Exposure: Developers might inadvertently commit credentials to a public repository, making them visible to the world. This can happen even with the best intentions and precautions.
  • Static Credentials: Hardcoding credentials means they remain static until manually rotated or revoked, increasing the window of opportunity for misuse if they are compromised.

Introducing OIDC Roles for Secure Access

Instead of storing AWS credentials in GitHub, you can use OIDC roles to securely assume AWS roles. OIDC allows GitHub Actions to obtain temporary, limited-privilege AWS credentials dynamically, without the need for hardcoded secrets. Here’s how you can set this up:

Setting Up OIDC with GitHub Actions

Step 1: Create an OIDC Identity Provider in AWS

First, you'll need to create an OIDC identity provider in your AWS account. This provider will trust GitHub as an OIDC provider.

  1. Navigate to the IAM console:
    • Go to the IAM service in the AWS Management Console.
    • In the left navigation pane, select "Identity providers" and then click "Add provider."
  2. Configure the provider:
    • Choose "OpenID Connect" as the provider type.
    • For the provider URL, enter https://token.actions.githubusercontent.com.
    • Add the audience sts.amazonaws.com.
    • Click "Add provider."

Step 2: Create an IAM Role with Trust Relationship

Next, create an IAM role that can be assumed by the GitHub OIDC provider.

  1. Create the role:
    • In the IAM console, go to "Roles" and click "Create role."
    • Choose "Web identity" as the trusted entity type and select the OIDC provider you created.
  2. Configure the role:
    • Add the following condition to the role’s trust policy to limit access to specific GitHub repositories: 
      {
    "Condition": {
        "StringEquals": {
            "token.actions.githubusercontent.com:sub": "repo:your-username/your-repo-name:ref:refs/heads/main"
        }
    }
}
    • Attach the necessary policies to the role to allow access to the required AWS resources.

Step 3: Configure GitHub Actions Workflow

Finally, configure your GitHub Actions workflow to use the OIDC provider to assume the role.

  1. Create a GitHub Actions workflow:
    • In your repository, create a new workflow file (e.g., .github/workflows/deploy.yml).
  2. Configure the workflow: 
    name: Deploy to AWS

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Configure AWS credentials using OIDC
        uses: aws-actions/configure-aws-credentials@v1
        with:
          role-to-assume: arn:aws:iam::123456789012:role/YourOIDCRole
          aws-region: us-east-1

      - name: Deploy to AWS
        run: |
          # Your deployment commands here

Benefits of Using OIDC Roles

  • Enhanced Security: Credentials are not stored in the repository, reducing the risk of accidental exposure.
  • Dynamic Credentials: Temporary credentials are obtained at runtime, minimizing the risk window if compromised.
  • Granular Permissions: Permissions can be scoped to specific repositories and branches, providing fine-grained control over who can assume the role.

Examples of Secure AWS Command Usage

Here are some examples of how to use AWS commands securely without storing credentials in your code repository:

Copy to S3


    - name: Copy to S3
      id: run S3 command
      run: |
        aws s3 cp s3://s3-bucket/foldername/output.txt output.txt

Login to Amazon ECR


    - name: Login to Amazon ECR
      id: login-ecr
      uses: aws-actions/amazon-ecr-login@v2

Conclusion

By adopting OIDC roles for AWS access, you significantly enhance the security of your development and deployment workflows. This approach eliminates the need to store AWS credentials in GitHub, reducing the risk of unauthorized access and potential security breaches. Start using OIDC roles today to secure your cloud resources and streamline your CI/CD processes.

Newsletter

Welcome to my blog. Subscribe and get my latest blog post in your inbox.
Choose Colour