![[PukiWiki]](image/owl.png "[PukiWiki]")
記事:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:myorg/myrepo1:*",
"repo:myorg/myrepo2:*"
]
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Sid": "s3Sync"
}
]
}name: Sync to S3 on: push: branches: - main paths: - 'webroot/**' env: AWS_DEFAULT_REGION: ap-northeast-1 defaults: run: working-directory: example jobs: sync-to-s3: runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repo uses: actions/checkout@v4 - name: Configure AWS Credentials (OIDC) uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/oidc-github-myorg-s3-sync aws-region: ap-northeast-1 audience: https://github.com/myorg role-duration-seconds: 900 role-skip-session-tagging: true - name: Sync to S3 run: | aws s3 sync ./webroot/ s3://mybucket/webroot/ --delete --exact-timestamps
記事:
