Syed OmairDeploying a container from GitHub Actions to AWS Elastic Container Registry (ECR) can be done securely using OpenID Connect (OIDC). This method eliminates the need to store long-lived AWS credentials, making your CI/CD pipeline more secure. This guide will walk you through setting up OIDC authentication for GitHub Actions to push Docker images to AWS ECR.
Step 1: Enable OIDC Provider in AWS
- Sign in to AWS Console and navigate to IAM.
- Go to Identity providers > Add provider.
- Select OpenID Connect as the provider type.
- Enter the Provider URL:
https://token.actions.githubusercontent.com
- Click Get thumbprint (AWS will auto-populate this).
- Under Audience, enter:
sts.amazonaws.com
- Click Add provider.
Step 2: Create an IAM Role for GitHub Actions
- In the AWS Console, go to IAM > Roles > Create Role.
- Select Web identity as the trusted entity type.
- Choose the OIDC provider you just created.
- Under Audience, select sts.amazonaws.com.
- Click Next.
Step 3: Attach Policies for ECR Access
- create a custom policy for more control
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:CreateRepository",
"ecr:ListImages",
"ecr:BatchDeleteImage"
],
"Resource": "*"
}
]
}
- Click Next, then give the role a name (e.g., GitHubActionsECR).
- Click Create role.
Step 4: Update Trust PolicyModify the trust policy to allow GitHub Actions to assume this role:
- Go to IAM > Roles > Select your role (GitHubActionsECR).
- Click Trust relationships > Edit trust policy.
- Replace the existing policy with:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:<GITHUB_ORG_OR_USER>/<REPO_NAME>:*"
}
}
}
]
}
(Replace with your AWS account ID)
(Replace / with your GitHub organization and repository name)
- Click Update policy.
Step 5: Configure GitHub Actions WorkflowIn your GitHub repository:
- Go to Settings > Secrets and variables > Actions.
- Add a new repository variable: Name: AWS_ROLE_ARN Value: The ARN of the IAM role you created (found in AWS IAM).
Step 6: Update GitHub Actions Workflow (.github/workflows/deploy.yml)
Modify your workflow YAML file to assume the IAM role:
name: Deploy to ECR
on:
push:
branches:
- main
jobs:
push_to_ecr:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v3
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: GitHubActionsECR
aws-region: us-east-1 # Change to your AWS region
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push Docker image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-app
IMAGE_TAG: latest
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
Step 7: Test the Workflow
- Push a commit to the repository.
- Navigate to Actions in GitHub and verify that the workflow runs successfully.
- Your Docker image should now be pushed to Amazon ECR.
Conclusion
Now your GitHub Actions workflow can push images to AWS ECR without requiring long-lived AWS credentials. This setup is more secure and efficient, enabling seamless container deployments from GitHub to AWS. 🎉
