Warning: We recommend that you don't store any sensitive information in the cache of public repositories. For example, sensitive information can include access tokens or login credentials stored in a file in the cache path. Also, command line interface (CLI) programs like docker login can save access credentials in a configuration file. Anyone with read access can create a pull request on a repository and access the contents of the cache. Forks of a repository can also create pull requests on the base branch and access caches on the base branch.
https://docs.github.com/en/actions/advanced-guides/caching-dependencies-to-speed-up-workflows
# ./.github/actions/aws_oidc_auth_single/action.yamlname: aws oidc auth
description: |
Get aws oidc auth.
inputs:role-to-assume:description:"AWS IAM Role to assume 1"required:trueruns:using:"composite" # this is key pointsteps:- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@master
with:aws-region: ap-northeast-1
role-to-assume: ${{ inputs.role-to-assume }}
role-session-name: GitHubActions-${{ github.run_id }}
- name: get-caller-identity shows myrole_A on both 1st and 2nd run. (2nd run must be myrole_B but incorrect result.)
run: aws sts get-caller-identity
shell: bash
IAM Role は OIDC Provider 経由で GitHub OIDC でリクエストされたときに、リクエスト元のリポジトリオーナー/リポジトリ名:ブランチ名 を検証し条件にマッチしたらそのRoleを Assume して利用できるようにします。つまり、このRoleに、リポジトリの制約と必要な IAM Policyを振ればok
name: aws oidc credential
on:workflow_dispatch:push:branches:["main"]# allow use id-tokenpermissions:id-token: write # required!contents: read
jobs:build:runs-on: ubuntu-latest
steps:- uses: actions/checkout@v2
- name: Configure AWS Credentials
# must use "master", not "v1". v1 is not yet released to use latest role-to-assume. # Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providersuses: aws-actions/configure-aws-credentials@master
with:aws-region: ap-northeast-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-session-name: GitHubActions-${{ github.run_id }}
role-duration-seconds:900 # minimum: 900sec, maximum: iam role session duration- name: get-caller-identity is allowed to run on role.
run: aws sts get-caller-identity