GitHub ActionsでOIDCを利用してECRにコンテナイメージを登録する
はじめに
Github Actionsで AWSのアークセスキーとシークレットキーを設定しなくてもOIDC ( OpenID Connect) で認証できるようになりました。 鍵情報をセットしなくて済み鍵を管理する必要もないのでこちらの方が楽で安心ですね!
OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS), without needing to store the AWS credentials as long-lived GitHub secrets.
OIDCプロバイダーを作成
Configuring OpenID Connect in Amazon Web Services - GitHub Docs
- IDプロバイダを作成するために必要な情報(上記のサイトで確認)
For the provider URL: Use https://token.actions.githubusercontent.com For the "Audience": Use sts.amazonaws.com
- 信頼関係
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS_ACCOUNT}:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:${GITHUB_ACCOUNT_NAME}/${GITHUB_REPO_NAME}:*" } } } ] }
- Roleに付与するポリシー
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPush", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:PutImage", "ecr:InitiateLayerUpload", "ecr:UploadLayerPart", "ecr:CompleteLayerUpload", "ecr:BatchCheckLayerAvailability" ], "Resource": "*" } ] }
Github Actionsを設定
リポジトリのSecretsに設定しました。(アカウント番号が含まれるため)
env: AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} IAM_ROLE_ARN: ${{ secrets.IAM_ROLE_ARN }}
.github └── workflows └── main.yaml ├── Dockerfile
.github/workflows/main.yaml
name: Registry docker image to ECR on: push: branches: - main paths: - ./** - .github/workflows/main.yaml env: REPO_NAME: product-a ECR_REGION: ap-northeast-1 AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} IAM_ROLE_ARN: ${{ secrets.IAM_ROLE_ARN }} permissions: id-token: write contents: read jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-region: ${{ env.ECR_REGION }} role-to-assume: ${{ env.IAM_ROLE_ARN}} - name: Login to ECR uses: docker/login-action@v1 env: ECR_REGISTRY: ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com with: registry: ${{ env.ECR_REGISTRY }} - name: Docker build and push to ECR uses: docker/build-push-action@v2 env: ECR_REPOSITORY: ${{ env.AWS_ACCOUNT }}.dkr.ecr.${{ env.ECR_REGION }}.amazonaws.com/${{ env.REPO_NAME }} with: push: true tags: | ${{ env.ECR_REPOSITORY }}:latest ${{ env.ECR_REPOSITORY }}:${{ github.sha }}
- ECRのリポジトリ結果