From ae9bdd4606a4ee2a1242b50bd592ac57d4928117 Mon Sep 17 00:00:00 2001 From: rrigato Date: Sat, 25 May 2024 13:10:18 -0500 Subject: [PATCH] github oidc role --- templates/tvratings_alexa_skill.template | 31 ++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/templates/tvratings_alexa_skill.template b/templates/tvratings_alexa_skill.template index 7d4e568..33e7d08 100644 --- a/templates/tvratings_alexa_skill.template +++ b/templates/tvratings_alexa_skill.template @@ -18,6 +18,11 @@ Parameters: Type: String Default: tvratings_skill.alexa_lambda_handler + githubUser: + Default: rrigato + Description: 'GitHub organization name' + Type: String + lambdaExecutionRoleName: Type: String Default: tvratings_lambda_role @@ -38,6 +43,11 @@ Parameters: MinValue: 1 MaxValue: 900 + oidcAudience: + Default: 'sts.amazonaws.com' + Description: 'The audience for the OIDC provider' + Type: String + projectName: Type: String Default: tvratings @@ -83,3 +93,24 @@ Resources: Timeout: !Ref lambdaTimeout TracingConfig: Mode: Active + + projectRoleForGitHubActions: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRoleWithWebIdentity + Principal: + Federated: + Fn::ImportValue: + githubOidcProviderArn + Condition: + StringEquals: + token.actions.githubusercontent.com:aud: !Ref oidcAudience + StringLike: + token.actions.githubusercontent.com:sub: !Sub repo:${githubUser}/${projectName}:* + Description: !Sub '${projectName} GitHub Actions role to assume' + ManagedPolicyArns: + - !Sub arn:aws:iam::${AWS::AccountId}:policy/${projectName}_pipeline_permissions + RoleName: !Sub ${projectName}-github-actions-role