awscdkgithuboidc

package module
v2.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 2, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

README

AWS CDK Github OpenID Connect

cdk-support release codecov

AWS CDK constructs that define:

  • Github Actions as OpenID Connect Identity Provider into AWS IAM
  • IAM Roles that can be assumed by Github Actions workflows

These constructs allows you to harden your AWS deployment security by removing the need to create long-term access keys for Github Actions and instead use OpenID Connect to Authenticate your Github Action workflow with AWS IAM.

Background information

github-aws-oidc


Getting started

npm i -D aws-cdk-github-oidc

OpenID Connect Identity Provider trust for AWS IAM

To create a new Github OIDC provider configuration into AWS IAM:

import { GithubActionsIdentityProvider } from "aws-cdk-github-oidc";

const provider = new GithubActionsIdentityProvider(scope, "GithubProvider");

In the background this creates an OIDC provider trust configuration into AWS IAM with an issuer URL of https://token.actions.githubusercontent.com and audiences (client IDs) configured as ['sts.amazonaws.com'] (which matches the aws-actions/configure-aws-credentials implementation).


Retrieving a reference to an existing Github OIDC provider configuration

Remember, there can be only one (Github OIDC provider per AWS Account), so to retrieve a reference to existing Github OIDC provider use fromAccount static method:

import { GithubActionsIdentityProvider } from "aws-cdk-github-oidc";

const provider = GithubActionsIdentityProvider.fromAccount(
  scope,
  "GithubProvider"
);

Defining a role for Github Actions workflow to assume
import { GithubActionsRole } from "aws-cdk-github-oidc";

const uploadRole = new GithubActionsRole(scope, "UploadRole", {
  provider: provider, // reference into the OIDC provider
  owner: "octo-org", // your repository owner (organization or user) name
  repo: "octo-repo", // your repository name (without the owner name)
  filter: "ref:refs/tags/v*", // JWT sub suffix filter, defaults to '*'
});

// use it like any other role, for example grant S3 bucket write access:
myBucket.grantWrite(uploadRole);

You may pass in any iam.RoleProps into the construct's props, except assumedBy which will be defined by this construct (CDK will fail if you do):

const deployRole = new GithubActionsRole(scope, "DeployRole", {
  provider: provider,
  owner: "octo-org",
  repo: "octo-repo",
  roleName: "MyDeployRole",
  description: "This role deploys stuff to AWS",
  maxSessionDuration: cdk.Duration.hours(2),
});

// You may also use various "add*" policy methods!
// "AdministratorAccess" not really a good idea, just for an example here:
deployRole.addManagedPolicy(
  iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
);

Subject Filter

By default the value of filter property will be '*' which means any workflow (from given repository) from any branch, tag, environment or pull request can assume this role. To further stricten the OIDC trust policy on the role, you may adjust the subject filter as seen on the examples in Github Docs; For example:

filter value Descrition
'ref:refs/tags/v*' Allow only tags with prefix of v
'ref:refs/heads/demo-branch' Allow only from branch demo-branch
'pull_request' Allow only from pull request
'environment:Production' Allow only from Production environment

Github Actions Workflow

To actually utilize this in your Github Actions workflow, use aws-actions/configure-aws-credentials to assume a role.

At the moment you must use the master version (until AWS releases a new tag):

jobs:
  deploy:
    name: Upload to Amazon S3
    runs-on: ubuntu-latest
    permissions:
      id-token: write # needed to interact with GitHub's OIDC Token endpoint.
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          role-to-assume: arn:aws:iam::123456789012:role/MyUploadRole
          #role-session-name: MySessionName # Optional
          aws-region: us-east-1

      - name: Sync files to S3
        run: |
          aws s3 sync . s3://my-example-bucket

Documentation

Overview

CDK constructs to use OpenID Connect for authenticating your Github Action workflow with AWS IAM

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GithubActionsIdentityProvider_FromOpenIdConnectProviderArn 

func GithubActionsIdentityProvider_FromOpenIdConnectProviderArn(scope constructs.Construct, id *string, openIdConnectProviderArn *string) awsiam.IOpenIdConnectProvider

Imports an Open ID connect provider from an ARN. Experimental.

func GithubActionsIdentityProvider_IsConstruct 

func GithubActionsIdentityProvider_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func GithubActionsIdentityProvider_IsOwnedResource added in v2.4.0 

func GithubActionsIdentityProvider_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise. Experimental.

func GithubActionsIdentityProvider_IsResource 

func GithubActionsIdentityProvider_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func GithubActionsIdentityProvider_Issuer 

func GithubActionsIdentityProvider_Issuer() *string

func GithubActionsRole_CustomizeRoles added in v2.4.0 

func GithubActionsRole_CustomizeRoles(scope constructs.Construct, options *awsiam.CustomizeRolesOptions)

Customize the creation of IAM roles within the given scope.

It is recommended that you **do not** use this method and instead allow CDK to manage role creation. This should only be used in environments where CDK applications are not allowed to created IAM roles.

This can be used to prevent the CDK application from creating roles within the given scope and instead replace the references to the roles with precreated role names. A report will be synthesized in the cloud assembly (i.e. cdk.out) that will contain the list of IAM roles that would have been created along with the IAM policy statements that the role should contain. This report can then be used to create the IAM roles outside of CDK and then the created role names can be provided in `usePrecreatedRoles`.

Example: 

declare const app: App;
iam.Role.customizeRoles(app, {
  usePrecreatedRoles: {
    'ConstructPath/To/Role': 'my-precreated-role-name',
  },
});

Experimental.

func GithubActionsRole_FromRoleArn 

func GithubActionsRole_FromRoleArn(scope constructs.Construct, id *string, roleArn *string, options *awsiam.FromRoleArnOptions) awsiam.IRole

Import an external role by ARN.

If the imported Role ARN is a Token (such as a `CfnParameter.valueAsString` or a `Fn.importValue()`) *and* the referenced role has a `path` (like `arn:...:role/AdminRoles/Alice`), the `roleName` property will not resolve to the correct value. Instead it will resolve to the first path component. We unfortunately cannot express the correct calculation of the full path name as a CloudFormation expression. In this scenario the Role ARN should be supplied without the `path` in order to resolve the correct role resource. Experimental.

func GithubActionsRole_FromRoleName 

func GithubActionsRole_FromRoleName(scope constructs.Construct, id *string, roleName *string, options *awsiam.FromRoleNameOptions) awsiam.IRole

Import an external role by name.

The imported role is assumed to exist in the same account as the account the scope's containing Stack is being deployed to. Experimental.

func GithubActionsRole_IsConstruct 

func GithubActionsRole_IsConstruct(x interface{}) *bool

Checks if `x` is a construct.

Returns: true if `x` is an object created from a class which extends `Construct`. Deprecated: use `x instanceof Construct` instead.

func GithubActionsRole_IsOwnedResource added in v2.4.0 

func GithubActionsRole_IsOwnedResource(construct constructs.IConstruct) *bool

Returns true if the construct was created by CDK, and false otherwise. Experimental.

func GithubActionsRole_IsResource 

func GithubActionsRole_IsResource(construct constructs.IConstruct) *bool

Check whether the given construct is a Resource. Experimental.

func GithubActionsRole_IsRole added in v2.4.0 

func GithubActionsRole_IsRole(x interface{}) *bool

Return whether the given object is a Role. Experimental.

func NewGithubActionsIdentityProvider_Override 

func NewGithubActionsIdentityProvider_Override(g GithubActionsIdentityProvider, scope constructs.Construct, id *string)

Define a new Github OpenID Connect Identity PRovider for AWS IAM.

There can be only one (per AWS Account).

Example: 

new GithubActionsIdentityProvider(scope, "GithubProvider");

Experimental.

func NewGithubActionsRole_Override 

func NewGithubActionsRole_Override(g GithubActionsRole, scope constructs.Construct, id *string, props *GithubActionsRoleProps)

Define an IAM Role that can be assumed by Github Actions workflow via Github OpenID Connect Identity Provider.

Besides `GithubConfiguration`, you may pass in any `iam.RoleProps` except `assumedBy` which will be defined by this construct (CDK will fail if you do).

Example: 

const uploadRole = new GithubActionsRole(scope, "UploadRole", {
  provider: GithubActionsIdentityProvider.fromAccount(scope, "GithubProvider"),
  owner: 'octo-org',
  repo: 'octo-repo',
  filter: 'ref:refs/tags/v*',
  roleName: 'MyUploadRole',
});

myBucket.grantWrite(uploadRole);

Experimental.

Types

type GithubActionsIdentityProvider 

type GithubActionsIdentityProvider interface {
	awsiam.OpenIdConnectProvider
	IGithubActionsIdentityProvider
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	// Experimental.
	Env() *awscdk.ResourceEnvironment
	// The tree node.
	// Experimental.
	Node() constructs.Node
	// The Amazon Resource Name (ARN) of the IAM OpenID Connect provider.
	// Experimental.
	OpenIdConnectProviderArn() *string
	// The issuer for OIDC Provider.
	// Experimental.
	OpenIdConnectProviderIssuer() *string
	// The thumbprints configured for this provider.
	// Experimental.
	OpenIdConnectProviderthumbprints() *string
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	// Experimental.
	PhysicalName() *string
	// The stack in which this resource is defined.
	// Experimental.
	Stack() awscdk.Stack
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	// Experimental.
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	// Experimental.
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	// Experimental.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	// Experimental.
	GetResourceNameAttribute(nameAttr *string) *string
	// Returns a string representation of this construct.
	// Experimental.
	ToString() *string
}

Github Actions as OpenID Connect Identity Provider for AWS IAM. There can be only one (per AWS Account).

Use `fromAccount` to retrieve a reference to existing Github OIDC provider. See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

Experimental.

func NewGithubActionsIdentityProvider 

func NewGithubActionsIdentityProvider(scope constructs.Construct, id *string) GithubActionsIdentityProvider

Define a new Github OpenID Connect Identity PRovider for AWS IAM.

There can be only one (per AWS Account).

Example: 

new GithubActionsIdentityProvider(scope, "GithubProvider");

Experimental.

type GithubActionsRole 

type GithubActionsRole interface {
	awsiam.Role
	// When this Principal is used in an AssumeRole policy, the action to use.
	// Experimental.
	AssumeRoleAction() *string
	// The assume role policy document associated with this role.
	// Experimental.
	AssumeRolePolicy() awsiam.PolicyDocument
	// The environment this resource belongs to.
	//
	// For resources that are created and managed by the CDK
	// (generally, those created by creating new class instances like Role, Bucket, etc.),
	// this is always the same as the environment of the stack they belong to;
	// however, for imported resources
	// (those obtained from static methods like fromRoleArn, fromBucketName, etc.),
	// that might be different than the stack they were imported into.
	// Experimental.
	Env() *awscdk.ResourceEnvironment
	// The principal to grant permissions to.
	// Experimental.
	GrantPrincipal() awsiam.IPrincipal
	// The tree node.
	// Experimental.
	Node() constructs.Node
	// Returns the permissions boundary attached to this role.
	// Experimental.
	PermissionsBoundary() awsiam.IManagedPolicy
	// Returns a string-encoded token that resolves to the physical name that should be passed to the CloudFormation resource.
	//
	// This value will resolve to one of the following:
	// - a concrete value (e.g. `"my-awesome-bucket"`)
	// - `undefined`, when a name should be generated by CloudFormation
	// - a concrete name generated automatically during synthesis, in
	//   cross-environment scenarios.
	// Experimental.
	PhysicalName() *string
	// Returns the role.
	// Experimental.
	PolicyFragment() awsiam.PrincipalPolicyFragment
	// The AWS account ID of this principal.
	//
	// Can be undefined when the account is not known
	// (for example, for service principals).
	// Can be a Token - in that case,
	// it's assumed to be AWS::AccountId.
	// Experimental.
	PrincipalAccount() *string
	// Returns the ARN of this role.
	// Experimental.
	RoleArn() *string
	// Returns the stable and unique string identifying the role.
	//
	// For example,
	// AIDAJQABLZS4A3QDU576Q.
	// Experimental.
	RoleId() *string
	// Returns the name of the role.
	// Experimental.
	RoleName() *string
	// The stack in which this resource is defined.
	// Experimental.
	Stack() awscdk.Stack
	// Attaches a managed policy to this role.
	// Experimental.
	AddManagedPolicy(policy awsiam.IManagedPolicy)
	// Add to the policy of this principal.
	// Experimental.
	AddToPolicy(statement awsiam.PolicyStatement) *bool
	// Adds a permission to the role's default policy document.
	//
	// If there is no default policy attached to this role, it will be created.
	// Experimental.
	AddToPrincipalPolicy(statement awsiam.PolicyStatement) *awsiam.AddToPrincipalPolicyResult
	// Apply the given removal policy to this resource.
	//
	// The Removal Policy controls what happens to this resource when it stops
	// being managed by CloudFormation, either because you've removed it from the
	// CDK application or because you've made a change that requires the resource
	// to be replaced.
	//
	// The resource can be deleted (`RemovalPolicy.DESTROY`), or left in your AWS
	// account for data recovery and cleanup later (`RemovalPolicy.RETAIN`).
	// Experimental.
	ApplyRemovalPolicy(policy awscdk.RemovalPolicy)
	// Attaches a policy to this role.
	// Experimental.
	AttachInlinePolicy(policy awsiam.Policy)
	// Experimental.
	GeneratePhysicalName() *string
	// Returns an environment-sensitive token that should be used for the resource's "ARN" attribute (e.g. `bucket.bucketArn`).
	//
	// Normally, this token will resolve to `arnAttr`, but if the resource is
	// referenced across environments, `arnComponents` will be used to synthesize
	// a concrete ARN with the resource's physical name. Make sure to reference
	// `this.physicalName` in `arnComponents`.
	// Experimental.
	GetResourceArnAttribute(arnAttr *string, arnComponents *awscdk.ArnComponents) *string
	// Returns an environment-sensitive token that should be used for the resource's "name" attribute (e.g. `bucket.bucketName`).
	//
	// Normally, this token will resolve to `nameAttr`, but if the resource is
	// referenced across environments, it will be resolved to `this.physicalName`,
	// which will be a concrete name.
	// Experimental.
	GetResourceNameAttribute(nameAttr *string) *string
	// Grant the actions defined in actions to the identity Principal on this resource.
	// Experimental.
	Grant(grantee awsiam.IPrincipal, actions ...*string) awsiam.Grant
	// Grant permissions to the given principal to assume this role.
	// Experimental.
	GrantAssumeRole(identity awsiam.IPrincipal) awsiam.Grant
	// Grant permissions to the given principal to pass this role.
	// Experimental.
	GrantPassRole(identity awsiam.IPrincipal) awsiam.Grant
	// Returns a string representation of this construct.
	// Experimental.
	ToString() *string
	// Return a copy of this Role object whose Policies will not be updated.
	//
	// Use the object returned by this method if you want this Role to be used by
	// a construct without it automatically updating the Role's Policies.
	//
	// If you do, you are responsible for adding the correct statements to the
	// Role's policies yourself.
	// Experimental.
	WithoutPolicyUpdates(options *awsiam.WithoutPolicyUpdatesOptions) awsiam.IRole
}

Define an IAM Role that can be assumed by Github Actions workflow via Github OpenID Connect Identity Provider.

Besides `GithubConfiguration`, you may pass in any `iam.RoleProps` except `assumedBy` which will be defined by this construct (CDK will fail if you do).

Example: 

const uploadRole = new GithubActionsRole(scope, "UploadRole", {
  provider: GithubActionsIdentityProvider.fromAccount(scope, "GithubProvider"),
  owner: 'octo-org',
  repo: 'octo-repo',
  filter: 'ref:refs/tags/v*',
  roleName: 'MyUploadRole',
});

myBucket.grantWrite(uploadRole);

Experimental.

func NewGithubActionsRole 

func NewGithubActionsRole(scope constructs.Construct, id *string, props *GithubActionsRoleProps) GithubActionsRole

Define an IAM Role that can be assumed by Github Actions workflow via Github OpenID Connect Identity Provider.

Besides `GithubConfiguration`, you may pass in any `iam.RoleProps` except `assumedBy` which will be defined by this construct (CDK will fail if you do).

Example: 

const uploadRole = new GithubActionsRole(scope, "UploadRole", {
  provider: GithubActionsIdentityProvider.fromAccount(scope, "GithubProvider"),
  owner: 'octo-org',
  repo: 'octo-repo',
  filter: 'ref:refs/tags/v*',
  roleName: 'MyUploadRole',
});

myBucket.grantWrite(uploadRole);

Experimental.

type GithubActionsRoleProps 

type GithubActionsRoleProps struct {
	// Repository owner (organization or username).
	//
	// Example:
	//   'octo-org'
	//
	// Experimental.
	Owner *string `field:"required" json:"owner" yaml:"owner"`
	// Reference to Github OpenID Connect Provider configured in AWS IAM.
	//
	// Either pass an construct defined by `new GithubActionsIdentityProvider`
	// or a retrieved reference from `GithubActionsIdentityProvider.fromAccount`.
	// There can be only one (per AWS Account).
	// Experimental.
	Provider IGithubActionsIdentityProvider `field:"required" json:"provider" yaml:"provider"`
	// Repository name (slug) without the owner.
	//
	// Example:
	//   'octo-repo'
	//
	// Experimental.
	Repo *string `field:"required" json:"repo" yaml:"repo"`
	// Subject condition filter, appended after `repo:${owner}/${repo}:` string in IAM Role trust relationship.
	//
	// Example:
	//   'ref:refs/tags/v*'
	//   'ref:refs/heads/demo-branch'
	//   'pull_request'
	//   'environment:Production'
	//
	// See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#examples
	//
	// Default: '*'
	//
	// You may use this value to only allow Github to assume the role on specific branches, tags, environments, pull requests etc.
	//
	// Experimental.
	Filter *string `field:"optional" json:"filter" yaml:"filter"`
	// A description of the role.
	//
	// It can be up to 1000 characters long.
	// Default: - No description.
	//
	// Experimental.
	Description *string `field:"optional" json:"description" yaml:"description"`
	// List of IDs that the role assumer needs to provide one of when assuming this role.
	//
	// If the configured and provided external IDs do not match, the
	// AssumeRole operation will fail.
	// Default: No external ID required.
	//
	// Experimental.
	ExternalIds *[]*string `field:"optional" json:"externalIds" yaml:"externalIds"`
	// A list of named policies to inline into this role.
	//
	// These policies will be
	// created with the role, whereas those added by “addToPolicy“ are added
	// using a separate CloudFormation resource (allowing a way around circular
	// dependencies that could otherwise be introduced).
	// Default: - No policy is inlined in the Role resource.
	//
	// Experimental.
	InlinePolicies *map[string]awsiam.PolicyDocument `field:"optional" json:"inlinePolicies" yaml:"inlinePolicies"`
	// A list of managed policies associated with this role.
	//
	// You can add managed policies later using
	// `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
	// Default: - No managed policies.
	//
	// Experimental.
	ManagedPolicies *[]awsiam.IManagedPolicy `field:"optional" json:"managedPolicies" yaml:"managedPolicies"`
	// The maximum session duration that you want to set for the specified role.
	//
	// This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
	//
	// Anyone who assumes the role from the AWS CLI or API can use the
	// DurationSeconds API parameter or the duration-seconds CLI parameter to
	// request a longer session. The MaxSessionDuration setting determines the
	// maximum duration that can be requested using the DurationSeconds
	// parameter.
	//
	// If users don't specify a value for the DurationSeconds parameter, their
	// security credentials are valid for one hour by default. This applies when
	// you use the AssumeRole* API operations or the assume-role* CLI operations
	// but does not apply when you use those operations to create a console URL.
	// Default: Duration.hours(1)
	//
	// Experimental.
	MaxSessionDuration awscdk.Duration `field:"optional" json:"maxSessionDuration" yaml:"maxSessionDuration"`
	// The path associated with this role.
	//
	// For information about IAM paths, see
	// Friendly Names and Paths in IAM User Guide.
	// Default: /.
	//
	// Experimental.
	Path *string `field:"optional" json:"path" yaml:"path"`
	// AWS supports permissions boundaries for IAM entities (users or roles).
	//
	// A permissions boundary is an advanced feature for using a managed policy
	// to set the maximum permissions that an identity-based policy can grant to
	// an IAM entity. An entity's permissions boundary allows it to perform only
	// the actions that are allowed by both its identity-based policies and its
	// permissions boundaries.
	// Default: - No permissions boundary.
	//
	// Experimental.
	PermissionsBoundary awsiam.IManagedPolicy `field:"optional" json:"permissionsBoundary" yaml:"permissionsBoundary"`
	// A name for the IAM role.
	//
	// For valid values, see the RoleName parameter for
	// the CreateRole action in the IAM API Reference.
	//
	// IMPORTANT: If you specify a name, you cannot perform updates that require
	// replacement of this resource. You can perform updates that require no or
	// some interruption. If you must replace the resource, specify a new name.
	//
	// If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
	// acknowledge your template's capabilities. For more information, see
	// Acknowledging IAM Resources in AWS CloudFormation Templates.
	// Default: - AWS CloudFormation generates a unique physical ID and uses that ID
	// for the role name.
	//
	// Experimental.
	RoleName *string `field:"optional" json:"roleName" yaml:"roleName"`
}

Props that define the IAM Role that can be assumed by Github Actions workflow via Github OpenID Connect Identity Provider.

Besides `GithubConfiguration`, you may pass in any `iam.RoleProps` except `assumedBy` which will be defined by this construct (CDK will fail if you do).

Example: 

{
  provider: GithubActionsIdentityProvider.fromAccount(scope, "GithubProvider"),
  owner: 'octo-org',
  repo: 'octo-repo',
  filter: 'ref:refs/tags/v*',
  roleName: 'MyDeployRole',
}

Experimental.

type GithubConfiguration 

type GithubConfiguration struct {
	// Repository owner (organization or username).
	//
	// Example:
	//   'octo-org'
	//
	// Experimental.
	Owner *string `field:"required" json:"owner" yaml:"owner"`
	// Reference to Github OpenID Connect Provider configured in AWS IAM.
	//
	// Either pass an construct defined by `new GithubActionsIdentityProvider`
	// or a retrieved reference from `GithubActionsIdentityProvider.fromAccount`.
	// There can be only one (per AWS Account).
	// Experimental.
	Provider IGithubActionsIdentityProvider `field:"required" json:"provider" yaml:"provider"`
	// Repository name (slug) without the owner.
	//
	// Example:
	//   'octo-repo'
	//
	// Experimental.
	Repo *string `field:"required" json:"repo" yaml:"repo"`
	// Subject condition filter, appended after `repo:${owner}/${repo}:` string in IAM Role trust relationship.
	//
	// Example:
	//   'ref:refs/tags/v*'
	//   'ref:refs/heads/demo-branch'
	//   'pull_request'
	//   'environment:Production'
	//
	// See: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#examples
	//
	// Default: '*'
	//
	// You may use this value to only allow Github to assume the role on specific branches, tags, environments, pull requests etc.
	//
	// Experimental.
	Filter *string `field:"optional" json:"filter" yaml:"filter"`
}

Github related configuration that forms the trust policy for this IAM Role. Experimental.

type IGithubActionsIdentityProvider 

type IGithubActionsIdentityProvider interface {
	awsiam.IOpenIdConnectProvider
}

Describes a Github OpenID Connect Identity Provider for AWS IAM. Experimental.

func GithubActionsIdentityProvider_FromAccount 

func GithubActionsIdentityProvider_FromAccount(scope constructs.Construct, id *string) IGithubActionsIdentityProvider

Retrieve a reference to existing Github OIDC provider in your AWS account.

An AWS account can only have single Github OIDC provider configured into it, so internally the reference is made by constructing the ARN from AWS Account ID & Github issuer URL.

Returns: a CDK Construct representing the Github OIDC provider.

Example: 

GithubActionsIdentityProvider.fromAccount(scope, "GithubProvider");

Experimental.

type RoleProps 

type RoleProps struct {
	// A description of the role.
	//
	// It can be up to 1000 characters long.
	// Default: - No description.
	//
	Description *string `field:"optional" json:"description" yaml:"description"`
	// List of IDs that the role assumer needs to provide one of when assuming this role.
	//
	// If the configured and provided external IDs do not match, the
	// AssumeRole operation will fail.
	// Default: No external ID required.
	//
	ExternalIds *[]*string `field:"optional" json:"externalIds" yaml:"externalIds"`
	// A list of named policies to inline into this role.
	//
	// These policies will be
	// created with the role, whereas those added by “addToPolicy“ are added
	// using a separate CloudFormation resource (allowing a way around circular
	// dependencies that could otherwise be introduced).
	// Default: - No policy is inlined in the Role resource.
	//
	InlinePolicies *map[string]awsiam.PolicyDocument `field:"optional" json:"inlinePolicies" yaml:"inlinePolicies"`
	// A list of managed policies associated with this role.
	//
	// You can add managed policies later using
	// `addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName(policyName))`.
	// Default: - No managed policies.
	//
	ManagedPolicies *[]awsiam.IManagedPolicy `field:"optional" json:"managedPolicies" yaml:"managedPolicies"`
	// The maximum session duration that you want to set for the specified role.
	//
	// This setting can have a value from 1 hour (3600sec) to 12 (43200sec) hours.
	//
	// Anyone who assumes the role from the AWS CLI or API can use the
	// DurationSeconds API parameter or the duration-seconds CLI parameter to
	// request a longer session. The MaxSessionDuration setting determines the
	// maximum duration that can be requested using the DurationSeconds
	// parameter.
	//
	// If users don't specify a value for the DurationSeconds parameter, their
	// security credentials are valid for one hour by default. This applies when
	// you use the AssumeRole* API operations or the assume-role* CLI operations
	// but does not apply when you use those operations to create a console URL.
	// Default: Duration.hours(1)
	//
	MaxSessionDuration awscdk.Duration `field:"optional" json:"maxSessionDuration" yaml:"maxSessionDuration"`
	// The path associated with this role.
	//
	// For information about IAM paths, see
	// Friendly Names and Paths in IAM User Guide.
	// Default: /.
	//
	Path *string `field:"optional" json:"path" yaml:"path"`
	// AWS supports permissions boundaries for IAM entities (users or roles).
	//
	// A permissions boundary is an advanced feature for using a managed policy
	// to set the maximum permissions that an identity-based policy can grant to
	// an IAM entity. An entity's permissions boundary allows it to perform only
	// the actions that are allowed by both its identity-based policies and its
	// permissions boundaries.
	// Default: - No permissions boundary.
	//
	PermissionsBoundary awsiam.IManagedPolicy `field:"optional" json:"permissionsBoundary" yaml:"permissionsBoundary"`
	// A name for the IAM role.
	//
	// For valid values, see the RoleName parameter for
	// the CreateRole action in the IAM API Reference.
	//
	// IMPORTANT: If you specify a name, you cannot perform updates that require
	// replacement of this resource. You can perform updates that require no or
	// some interruption. If you must replace the resource, specify a new name.
	//
	// If you specify a name, you must specify the CAPABILITY_NAMED_IAM value to
	// acknowledge your template's capabilities. For more information, see
	// Acknowledging IAM Resources in AWS CloudFormation Templates.
	// Default: - AWS CloudFormation generates a unique physical ID and uses that ID
	// for the role name.
	//
	RoleName *string `field:"optional" json:"roleName" yaml:"roleName"`
}

Properties for defining an IAM Role.

These are copied fron @aws-cdk/aws-iam, but since JSII does not support TypeScript <Partial<iam.RoleProps>> (or Omit), we have to do this stupid thing.

Basically exactly the same as source, but with assumedBy removed.

Source Files

View all Source files

Directories

Path Synopsis
Package jsii contains the functionaility needed for jsii packages to initialize their dependencies and themselves.
 Package jsii contains the functionaility needed for jsii packages to initialize their dependencies and themselves.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.