GitHub Actions AWS Authentication with OIDC for GitHub Enterprise

GitHub Actions AWS Authentication with OIDC for GitHub Enterprise

There are many blog posts about how to use GitHub Actions OIDC with AWS; however, they all refer to using and don't provide some easy steps if you are running your own GitHub Enterprise instance.

Today I spent far too long working this out and likely annoying my colleagues with email after email for failed builds!

Anyway, I made progress eventually, and hopefully, this will help some other poor lost soul hitting google for a simple answer!

Let's get into it.

What is OIDC?

I won't repeat the documentation simply put:-

OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.

Since Aidens' post here, I've been eagerly waiting to have this in our GitHub Enterprise instance, which delivered this functionality in 3.5.

Configuring the OIDC Provider

Maybe it's just me, but the GitHub documentation didn't flow with the needed steps, and I went around in circles a bit.

Here are the steps I followed to get it up and running

Get Thumbprint

The thumbprint is a SHA1 hash of the public certificate of the host. To calculate it, you need to obtain the GitHub Enterprise instance certificate, and then calculate the hash using a tool like OpenSSL.

The GitHub Enterprise instance has the following URL available with the OIDC supported claims -

Using this URL and the handy shell script provided via stackoverflow we can generate the SHA1 for my pretend instance

$ HOST=$(curl \
| jq -r '.jwks_uri | split("/")[2]')

$ echo | openssl s_client -servername $HOST -showcerts -connect $HOST:443 2> /dev/null \
| sed -n -e '/BEGIN/h' -e '/BEGIN/,/END/H' -e '$x' -e '$p' | tail +2 \
| openssl x509 -fingerprint -noout \
| sed -e "s/.*=//" -e "s/://g" \
| tr "ABCDEF" "abcdef"

Define the AWS::IAM::OIDCProvider

With this info, we can create our Cloudformation Stack to configure our OIDCProvider and the IAM Role our action will assume.

I've totally copied Adiens work and just added in the necessary updates to show how to configure the setting for GitHub Enterprise.

Key things to note are the StringLike conditions that had me a little stumped for a while as all the public examples are for!

AWSTemplateFormatVersion: 2010-09-09
Description: GitHub Actions AWS Authentication with OIDC for GitHub Enterprise

  GithubOrg: # can also be a regular user
    Type: String
    Default: mygithuborg
    Type: String
    Default: mygithuborg/sjramblings

    Type: AWS::IAM::Role
      RoleName: ExampleGithubRole
      ManagedPolicyArns: [arn:aws:iam::aws:policy/ReadOnlyAccess]
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
              Federated: !Ref GithubOidc
       !Sub repo:${FullRepoName}:*

    Type: AWS::IAM::OIDCProvider
      ThumbprintList: [6938fd4d98bab03faadb97b34396831e3780aea1]
        - !Sub${GithubOrg}

    Value: !GetAtt Role.Arn



Using the above CloudFormation you can enable OIDC Authentication for your GitHub Enterprise instance workflows to perform actions within AWS without having to manage and rotate cloud credentials.

It will also enable you to use more fine-grained permissions granting only what is required.

I hope this helps someone else!


Did you find this article valuable?

Support Stephen Jones by becoming a sponsor. Any amount is appreciated!