AWS federation comes to GitHub Actions
GitHub Actions has new functionality that can vend OpenID Connect credentials to jobs running on the platform. This is very exciting for AWS account administrators as it means that CI/CD jobs no longer need any long-term secrets to be stored in GitHub. First, an AWS IAM OIDC identity provider and an AWS IAM role that GitHub Actions can assume. Ok, this new role can now be assumed by GitHub Actions, but crucially: only by jobs in my aidansteele/aws-federation-github-actions repo. Tada, you now have a GitHub Actions workflow that assumes your role. It works because the AWS SDKs support using the AWS WEB IDENTITY TOKEN FILE and AWS ROLE ARN environment variables since AWS EKS needed this. AWS requires role session tags to follow a fairly specific format - one that I doubt GitHub Actions will implement.