はじめに

Github Actionsで AWSのアークセスキーとシークレットキーを設定しなくてもOIDC ( OpenID Connect) で認証できるようになりました。鍵情報をセットしなくて済み鍵を管理する必要もないのでこちらの方が楽で安心ですね！

docs.github.com

OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets.

OIDCプロバイダーを作成

Configuring OpenID Connect in Amazon Web Services - GitHub Docs

IDプロバイダを作成するために必要な情報（上記のサイトで確認）

For the provider URL: Use https://token.actions.githubusercontent.com
For the "Audience": Use sts.amazonaws.com

f:id:yhidetoshi:20220122142747p:plain

f:id:yhidetoshi:20220122143344p:plain

信頼関係

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT}:oidc-provider/token.actions.githubusercontent.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:${GITHUB_ACCOUNT_NAME}/${GITHUB_REPO_NAME}:*"
        }
      }
    }
  ]
}

Roleに付与するポリシー

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPush",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Resource": "*"
        }
    ]
}

Github Actionsを設定

リポジトリのSecretsに設定しました。（アカウント番号が含まれるため）

env:
  AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
  IAM_ROLE_ARN: ${{ secrets.IAM_ROLE_ARN }}

f:id:yhidetoshi:20220122145303p:plain

利用する github-actonsライブラリ
- Configure AWS Credential
  - https://github.com/aws-actions/configure-aws-credentials
- ECR login
  - https://github.com/aws-actions/amazon-ecr-login
- docker-build
  - https://github.com/docker/build-push-action
ディレクトリ構成

.github
└── workflows
    └── main.yaml
├── Dockerfile

.github/workflows/main.yaml

name: Registry docker image to ECR
on:
  push:
    branches:
      - main
    paths:
      - ./**
      - .github/workflows/main.yaml

env:
  REPO_NAME: product-a
  ECR_REGION: ap-northeast-1
  AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
  IAM_ROLE_ARN: ${{ secrets.IAM_ROLE_ARN }}

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: ${{ env.ECR_REGION }}
          role-to-assume: ${{ env.IAM_ROLE_ARN}}

      - name: Login to ECR
        uses: docker/login-action@v1
        env:
          ECR_REGISTRY: ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com
        with:
          registry: ${{ env.ECR_REGISTRY }}

      - name: Docker build and push to ECR
        uses: docker/build-push-action@v2
        env:
          ECR_REPOSITORY: ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com/${{ env.REPO_NAME }}
        with:
          push: true
          tags: |
            ${{ env.ECR_REPOSITORY }}:latest
            ${{ env.ECR_REPOSITORY }}:${{ github.sha }}