This script sets up GitHub Actions OIDC authentication with AWS using the AWS CLI. It creates an OIDC provider and an IAM role that GitHub Actions can assume.
# Download the script
wget https://raw.githubusercontent.com/sinovi/setup-github-oidc/main/setup-github-oidc.sh
chmod +x setup-github-oidc.sh
# Basic usage: owner/repo branch (role: GitHubActionsRole, policy: AdministratorAccess)
./setup-github-oidc.sh myorg/myrepo main
# Specify custom IAM role name and AWS managed policy
./setup-github-oidc.sh myorg/myrepo main --role MyGithubRole --policy PowerUserAccess
# Specify an AWS CLI profile
./setup-github-oidc.sh myorg/myrepo main --profile myprofile./setup-github-oidc.sh owner/repo branch [--role NAME] [--policy POLICY] [--profile PROFILE]owner/repo(required): GitHub owner and repository, e.g.myorg/myrepobranch(required): GitHub branch name to allow, e.g.main--role NAME: Custom IAM role name (default: GitHubActionsRole)--policy POLICY: AWS managed policy name (default: AdministratorAccess)--profile PROFILE: AWS CLI profile name (optional)
- OIDC Provider: GitHub Actions identity provider in AWS IAM
- IAM Role: Role that GitHub Actions can assume
- Trust Policy: Restricts access to your specified org/repo/branch
- Managed Policy: Attaches AWS managed policy (default: AdministratorAccess)
- AWS CLI installed and configured with credentials. The script uses your current AWS CLI authentication:
- Environment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, etc.) - Default profile (configured with
aws configure) - Named profile via
--profileflag - AWS SSO profile (ensure session is active with
aws sso login --profile your-profile)
- Environment variables (
- Appropriate IAM permissions to create OIDC providers and roles