ã€AWS CDKã€‘GitHub Actionsã§OIDCã‚’ä½¿ç”¨ã—ã¦AWSã¨èªè¨¼ã™ã‚‹æ–¹æ³•

æœ¬æ—¥ã®ãŠé¡Œ

CD/CDãªã©ã§GitHub Actionã‹ã‚‰cdk deployã‚³ãƒžãƒ³ãƒ‰ã‚’å®Ÿæ–½ã™ã‚‹éš›ã«ã€OIDCã‚’ä½¿ç”¨ã—ã¦(IAM Userã®ã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ï¼†ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ã§ã¯ãªã)IAM Roleã§AWSã¨èªè¨¼ã‚’è¡Œã†æ–¹æ³•
ä¸Šè¨˜ã‚’AWS CDKã§å®Ÿè£…ã™ã‚‹æ–¹æ³•

ä¸Šè¨˜ã‚’å®Ÿæ–½ã™ã‚‹éš›ã«å¿…è¦ãªæ‰‹é †

IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚’ä½œæˆã™ã‚‹
èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹
ä¸Šè¨˜IAM Roleã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼ã‚’ã‚¢ã‚¿ãƒƒãƒã™ã‚‹
GitHub Actionsã«ã¦configure-aws-credentialsã‚’ä½¿ç”¨ã—ã¦AWSã¨èªè¨¼ã™ã‚‹

AWS CDKã®ã‚³ãƒ¼ãƒ‰

ä»Šå›žã¯ã€ã„ããªã‚ŠAWS CDKã®ã‚³ãƒ¼ãƒ‰ã‚’æŽ²è¼‰ã—ã¾ã™ã€‚(å¤šåˆ†ãã®æ–¹ãŒã‚ã‹ã‚Šã‚„ã™ã„ã®ã§)

import * as cdk from 'aws-cdk-lib';
import { aws_iam } from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class OIDCSampleStack extends cdk.Stack {
  constructor(scope: Construct, id: string) {
    super(scope, id);
  
    // cdk deployAWSã‚’å®Ÿæ–½ã™ã‚‹AWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆã¨ãƒªãƒ¼ã‚¸ãƒ§ãƒ³  
    const accountId = this.account;
    const region = this.region;
  
    const user = '<å¯¾è±¡ã®GitHubãƒ¦ãƒ¼ã‚¶ãƒ¼å>';
    const repo = '<å¯¾è±¡ã®ãƒªãƒã‚¸ãƒˆãƒªå>';
    const branch = '<å¯¾è±¡ã®ãƒ–ãƒ©ãƒ³ãƒå>';
  
    // 1. IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚’ä½œæˆã™ã‚‹  
    const oidcProvider = new aws_iam.OpenIdConnectProvider(
      this,
      'GitHubOIDCProvider',
      {
        url: 'https://token.actions.githubusercontent.com',
        clientIds: ['sts.amazonaws.com'],
      }
    );
  
    // 2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹
    const oidcDeployRole = new aws_iam.Role(this, 'GitHubOidcRole', {
      roleName: 'github-oidc-role',
      assumedBy: new aws_iam.FederatedPrincipal(
        oidcProvider.openIdConnectProviderArn,
        {
          StringLike: {
            'token.actions.githubusercontent.com:sub': `repo:${user}/${repo}:ref:refs/heads/${branch}`,
          },
        },
        'sts:AssumeRoleWithWebIdentity' //ã“ã‚Œã‚’å¿˜ã‚Œã‚‹ã¨Statementã®ActionãŒ'sts:AssumeRole'ã¨ãªã‚ŠOIDCã§ã®AssumeRoleã§ä½¿ãˆãªããªã‚‹ã€‚
      ),
    });
  
    // 3. ä¸Šè¨˜IAM Roleã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼ã‚’ã‚¢ã‚¿ãƒƒãƒã™ã‚‹ 
    const deployPolicy = new aws_iam.Policy(this, 'deployPolicy', {
      policyName: 'deployPolicy',
      statements: [
        new aws_iam.PolicyStatement({
          effect: aws_iam.Effect.ALLOW,
          actions: ['sts:AssumeRole'],
          resources: [
            `arn:aws:iam::${accountId}:role/cdk-hnb659fds-deploy-role-${accountId}-${region}`,
            `arn:aws:iam::${accountId}:role/cdk-hnb659fds-file-publishing-role-${accountId}-${region}`,
            `arn:aws:iam::${accountId}:role/cdk-hnb659fds-image-publishing-role-${accountId}-${region}`,
            `arn:aws:iam::${accountId}:role/cdk-hnb659fds-lookup-role-${accountId}-${region}`,
          ],
        }),
      ],
    });

    oidcDeployRole.attachInlinePolicy(deployPolicy);
  }
}

1. IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚’ä½œæˆã™ã‚‹

IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚’ä½œæˆã—ã€ãã®URLã« https://token.actions.githubusercontent.com (ã“ã®ãƒ›ã‚¹ãƒˆåã¯å›ºå®š)ã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆIDã«AWS Security Token Service (AWS STS)ã‚’æŒ‡å®šã—ã¾ã™ã€‚

2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹

IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã«å¯¾ã—ã€GitHub Actionsã‹ã‚‰ã®ãƒ•ã‚§ãƒ‡ãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³èªè¨¼ã®å ´åˆã«Assume Roleã‚’ã‚’è¨±å¯ã™ã‚‹IAM Roleã‚’ä½œæˆã—ã¾ã™ã€‚
ãã—ã¦ãã®URLã« https://token.actions.githubusercontent.comã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆIDã«AWS Security Token Service (AWS STS)ã‚’æŒ‡å®šã—ã¾ã™ã€‚

ã¾ãŸãã®éš›ã«GitHubã®ãƒ¦ãƒ¼ã‚¶ãƒ¼åã€ãƒªãƒã‚¸ãƒˆãƒªåã€ãƒ–ãƒ©ãƒ³ãƒåã‚’æŒ‡å®šã—ã€å¯¾è±¡ã®ãƒ–ãƒ©ãƒ³ãƒã§ã®ã¿èªè¨¼ã‚’è¡Œã†ã‚ˆã†ã«ã—ã¾ã™ã€‚

ãªãŠã“ã®æ™‚assumeRoleActionå¼•æ•°ã«ã€Œsts:AssumeRoleWithWebIdentityã€ã‚’æŒ‡å®šã—ãªã„ã¨OIDCã§ã®AssumeRoleãŒå‡ºæ¥ãªã„ã®ã§æ³¨æ„ã§ã™ã€‚(ã€Œsts:AssumeRoleã€ã§ã¯ãƒ€ãƒ¡)

3. ä¸Šè¨˜IAM Roleã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼ã‚’ã‚¢ã‚¿ãƒƒãƒã™ã‚‹

ä¸Šè¨˜IAM ãƒãƒªã‚·ãƒ¼ã‚’ä½œæˆã—ã€ä¸Šè¨˜IAM Roleã«ã‚¢ã‚¿ãƒƒãƒã—ã¾ã™ã€‚

ä»Šå›žã¯cdk deployã‚’å®Ÿæ–½ã™ã‚‹ç”¨ã®ãƒãƒªã‚·ãƒ¼ã‚’ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒãƒªã‚·ãƒ¼ã¨ã—ã¦ã‚¢ã‚¿ãƒƒãƒã—ã¦ã„ã¾ã™ã€‚

ã¡ãªã¿ã«ä¸Šè¨˜ãƒãƒªã‚·ãƒ¼ã®å†…å®¹ï¼†sts:AssumeRoleå…ƒã®ãƒªã‚½ãƒ¼ã‚¹ã®å†…å®¹ã«ã¤ã„ã¦ã¯ã€ä¸‹è¨˜ã‚’ã”å‚ç…§ãã ã•ã„ã€‚(äº‹å‰ã« cdk bootstrap ãŒå®Ÿæ–½æ¸ˆã§ã‚ã‚‹ã“ã¨ãŒå‰æã§ã™)

speakerdeck.com

GitHub Enterprise(GHE) ã®å ´åˆ

ã‚‚ã¡ã‚ã‚“ä»Šå›žã®æ–¹æ³•ã¯GHEã§ã‚‚ä½¿ç”¨ã§ãã¾ã™ãŒã€GHEã®å ´åˆã€GitHubã¨ä»¥ä¸‹ã®ç‚¹ãŒç•°ãªã‚Šã¾ã™ã€‚

ãƒ¦ãƒ¼ã‚¶ãƒ¼åã‚’æŒ‡å®šã—ã¦ã„ãŸç®‡æ‰€ã¯ã€GHEã§ã¯organizationåã‚’æŒ‡å®šã™ã‚‹
ãƒ›ã‚¹ãƒˆåã¯ token.actions.githubusercontent.com ã§ã¯ãªãã€ ã€Œ<GHEã®ãƒ‰ãƒ¡ã‚¤ãƒ³å>/_services/tokenã€ã«ãªã‚‹

ä¾‹ãˆã°organizationãŒã€Œmy_orgã€ã€GHEã®ãƒ‰ãƒ¡ã‚¤ãƒ³åãŒã€Œgithub.hogehoge.comã€ã®å ´åˆã€CDKã®ã‚½ãƒ¼ã‚¹ã¯ã“ã†ãªã‚Šã¾ã™ã€‚(å·®åˆ†ã ã‘è¨˜è¼‰)

    const oidcProvider = new aws_iam.OpenIdConnectProvider(
      this,
      'GitHubOIDCProvider',
      {
        url: 'https://github.hogehoge.com/_services/token',
        clientIds: ['sts.amazonaws.com'],
      }
    );
  
    // 2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹
    const oidcDeployRole = new aws_iam.Role(this, 'GitHubOidcRole', {
      roleName: 'github-oidc-role',
      assumedBy: new aws_iam.FederatedPrincipal(
        oidcProvider.openIdConnectProviderArn,
        {
          StringLike: {
            'github.hogehoge.com/_services/token:sub': `repo:my_org/${repo}:ref:refs/heads/${branch}`,
          },
        },
        'sts:AssumeRoleWithWebIdentity' 
      ),
    });
  }
}

OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã®ã‚µãƒ ãƒ—ãƒªãƒ³ãƒˆã«ã¤ã„ã¦

ä»Šã¾ã§IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚’ä½¿ç”¨ã™ã‚‹å ´åˆã€OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã®æ¤œè¨¼ç”¨ã«ã‚µãƒ ãƒ—ãƒªãƒ³ãƒˆ(thumbprint)ã‚’è¨å®šã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã—ãŸãŒã€ä»Šå¹´ã®7/6ã‚ˆã‚Šã‚µãƒ ãƒ—ãƒªãƒ³ãƒˆãŒæ¤œè¨¼ã«å¿…è¦ãªããªã‚Šã¾ã—ãŸã€‚

GitHub OIDC is now using library of trusted CAs · Issue #763 · aws-actions/configure-aws-credentials · GitHub

ãªãŠAWS CDKã§ã¯ã‚µãƒ ãƒ—ãƒªãƒ³ãƒˆã¯ä»»æ„é …ç›®ã§ã€CloudFormationã§ã¯å¿…é ˆé …ç›®ã§ã™ãŒã€é©å½“ãªå€¤ã‚’å…¥ã‚Œã¦ãŠã‘ã°è‰¯ã„ã¿ãŸã„ã§ã™ã€‚

GitHub Actions

# ãƒˆãƒªã‚¬è¨å®šã¯é©å®œå¤‰æ›´
# æœ€ä½Žé™ã—ã‹æ›¸ã„ã¦ãªã„ã§ã™(cacheå‡¦ç†ãªã©ã¯çœç•¥)
on: 
  push:
    branches:
      - 'develop'
      - 'main'

jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      # ä»Šå›žã¯ç›´æŽ¥è¨˜è¼‰ã—ã¦ã„ã‚‹ãŒã€å¿…è¦ã«å¿œã˜ã¦secretsã«ç™»éŒ²ã™ã‚‹
      AWS_ACCOUNT_ID: "<AWSã‚¢ã‚«ã‚¦ãƒ³ãƒˆç•ªå·>"
      AWS_REGION: "ap-northeast-1"
  
    # ã“ã“ã§permissionã‚’è¨å®šã™ã‚‹ã®ãŒå¤§äº‹
    permissions:
      id-token: write
      contents: read
  
    steps:  
      - name: Checkout
        uses: actions/checkout@v3
  
      - name: Install CDK Dependency
        run: npm ci
  
      # 4. GitHubã«ã¦configure-aws-credentialsã‚’ä½¿ç”¨ã—ã¦AWSã¨èªè¨¼ã™ã‚‹  
      - name: Assume Role
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: "arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/github-oidc-role"
          aws-region: ${{ env.AWS_REGION }}
  
      # npm scriptã«ç™»éŒ²ã—ã¦ãŠã„ãŸcdk deployã‚³ãƒžãƒ³ãƒ‰ã‚’å®Ÿæ–½ã™ã‚‹
      - name: Deploy
        run: npm run deploy

ãƒã‚¤ãƒ³ãƒˆã¯ä¸‹è¨˜2ç‚¹ã§ã™

permissionsã«id-token: writeã€contents: readã‚’è¨å®šã™ã‚‹

ã“ã‚Œã‚’è¨å®šã—ãªã„ã¨OIDCã‚’ä½¿ç”¨ã—ã¦cdk deployãŒå®Ÿæ–½ã§ããªã„

aws-actions/configure-aws-credentials@v2ã‚’ä½¿ç”¨ã—ã¦ã€ã€Œ2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹ã€ã§ä½œæˆã—ãŸIAM Roleã§èªè¨¼ã‚’è¡Œã†

ã¡ãªã¿ã«ãƒãƒ¼ãƒ«åã ã¨ã€Œcredentialæƒ…å ±ãŒãªã„ã€ã¿ãŸã„ãªã‚¨ãƒ©ãƒ¼ã«ãªã£ãŸã€‚(secretsã«ã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ï¼†ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ã‚’ç™»éŒ²ã™ã‚Œã°OKã‹ã‚‚)

ãŸã ã€ãã‚Œã‚’ã—ãŸããªã„ã‹ã‚‰OIDCã‚’ä½¿ç”¨ã—ã¦ã„ã‚‹ã®ã«ã€ãã‚Œã‚„ã£ãŸã‚‰æ„å‘³ãŒãªã„...

ã¾ã¨ã‚

ä»¥ä¸Šã€AWS CDKã§GitHubã§OIDCã‚’ä½¿ç”¨ã—ã¦AWSã¨èªè¨¼ã™ã‚‹æ–¹æ³•ã§ã—ãŸã€‚

ã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ï¼†ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆã‚¢ã‚¯ã‚»ã‚¹ã‚ãƒ¼ã¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£çš„ãªè¦³ç‚¹ã‹ã‚‰ã‚‚ã€ç™ºè¡Œã—ãªã„ã§æ¸ˆã‚€ãªã‚‰ãã‚Œã«è¶Šã—ãŸã“ã¨ã¯ãªã„ã®ã§ã€ä»Šå›žã®ã‚ˆã†ãªæ‰‹æ³•ã‚’ç©æ¥µçš„ã«å–ã‚Šå…¥ã‚Œã¦ã€ã‚ˆã‚Šã‚»ã‚ãƒ¥ã‚¢ã«ãªã‚Œã°ã¨æ€ã„ã¾ã™ã€‚

ãªãŠã€GitHubå´ã§ã€Œç‰¹å®šã®IPã‚¢ãƒ‰ãƒ¬ã‚¹ ã‹ã‚‰ã—ã‹æŽ¥ç¶šã‚’è¨±å¯ã—ã¦ã„ãªã„ã€ã‚ˆã†ãªè¨å®šã‚’ã—ã¦ã„ã‚‹å ´åˆã€ã“ã®æ–¹æ³•ãŒä½¿ãˆãªã„ã®ã§ã€ãã®å ´åˆã¯æ®‹å¿µãªãŒã‚‰ã“ã®æ–¹æ³•ã¯ä½¿ãˆã¾ã›ã‚“ã€‚(GHEã§ã‚ã‚ŠãŒã¡)

ã§ã¯ã€ä»Šå›žã¯ã“ã®è¾ºã§ã€‚

echo("å‚™å¿˜éŒ²");

ITæŠ€è¡“ã‚„ãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°é–¢é€£ãªã©ã€æŠ€è¡“ç³»ã®äº‹ã‚’å‚™å¿˜éŒ²çš„ã«ã¾ã¨ã‚ã¦ã„ã¾ã™ã€‚

ã€AWS CDKã€‘GitHub Actionsã§OIDCã‚’ä½¿ç”¨ã—ã¦AWSã¨èªè¨¼ã™ã‚‹æ–¹æ³•

æœ¬æ—¥ã®ãŠé¡Œ

ä¸Šè¨˜ã‚’å®Ÿæ–½ã™ã‚‹éš›ã«å¿…è¦ãªæ‰‹é †

AWS CDKã®ã‚³ãƒ¼ãƒ‰

1. IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚’ä½œæˆã™ã‚‹

2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹

3. ä¸Šè¨˜IAM Roleã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼ã‚’ã‚¢ã‚¿ãƒƒãƒã™ã‚‹

GitHub Enterprise(GHE) ã®å ´åˆ

OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã®ã‚µãƒ ãƒ—ãƒªãƒ³ãƒˆã«ã¤ã„ã¦

GitHub Actions

permissionsã«id-token: writeã€contents: readã‚’è¨å®šã™ã‚‹

aws-actions/configure-aws-credentials@v2ã‚’ä½¿ç”¨ã—ã¦ã€ã€Œ2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹ã€ã§ä½œæˆã—ãŸIAM Roleã§èªè¨¼ã‚’è¡Œã†

ã¾ã¨ã‚

æœ¬æ—¥ã®ãŠé¡Œ

ä¸Šè¨˜ã‚’å®Ÿæ–½ã™ã‚‹éš›ã«å¿…è¦ãªæ‰‹é †

AWS CDKã®ã‚³ãƒ¼ãƒ‰

1. IAM OIDC IDãƒ—ãƒ­ãƒã‚¤ãƒ€ãƒ¼ã‚’ä½œæˆã™ã‚‹

2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹

3. ä¸Šè¨˜IAM Roleã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼ã‚’ã‚¢ã‚¿ãƒƒãƒã™ã‚‹

GitHub Enterprise(GHE) ã®å ´åˆ

OIDC IDãƒ—ãƒ­ãƒã‚¤ãƒ€ãƒ¼ã®ã‚µãƒ ãƒ—ãƒªãƒ³ãƒˆã«ã¤ã„ã¦

GitHub Actions

permissionsã«id-token: writeã€contents: readã‚’è¨­å®šã™ã‚‹

aws-actions/configure-aws-credentials@v2ã‚’ä½¿ç”¨ã—ã¦ã€ã€Œ2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹ã€ã§ä½œæˆã—ãŸIAM Roleã§èªè¨¼ã‚’è¡Œã†

ã¾ã¨ã‚

æœ¬æ—¥ã®ãŠé¡Œ

ä¸Šè¨˜ã‚’å®Ÿæ–½ã™ã‚‹éš›ã«å¿…è¦ãªæ‰‹é †

AWS CDKã®ã‚³ãƒ¼ãƒ‰

1. IAM OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã‚’ä½œæˆã™ã‚‹

2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹

3. ä¸Šè¨˜IAM Roleã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼ã‚’ã‚¢ã‚¿ãƒƒãƒã™ã‚‹

GitHub Enterprise(GHE) ã®å ´åˆ

OIDC IDãƒ—ãƒãƒã‚¤ãƒ€ãƒ¼ã®ã‚µãƒ ãƒ—ãƒªãƒ³ãƒˆã«ã¤ã„ã¦

permissionsã«id-token: writeã€contents: readã‚’è¨å®šã™ã‚‹

aws-actions/configure-aws-credentials@v2ã‚’ä½¿ç”¨ã—ã¦ã€ã€Œ2. èªè¨¼ç”¨ã®IAM Roleã‚’ä½œæˆã™ã‚‹ã€ã§ä½œæˆã—ãŸIAM Roleã§èªè¨¼ã‚’è¡Œã†

ã¾ã¨ã‚