I recently helped a client migrate their Devops Pipelines to Github Actions. One of the nice features about GH is that its relatively easy to setup and use an identity provider that will allow Github to do what it needs without having to store credentials. I found some great resources online for how to do this, including this one for terraform. In my case I needed to write one using CloudFormation. Thought I’d share:
The above contains a sample CFN doc for creating the Identity Provider and a sample role that allows access to ECR. The condition in the IAM policy restricts its usage to a specific repo so that other arbitrary Github users can’t assume the role.