![[PukiWiki]](image/owl.png "[PukiWiki]")
記事:
jobs: deploy: runs-on: ubuntu-latest permissions: id-token: write contents: read env: AWS_ACCOUNT_ID: "123456789012" AWS_REGION: ap-northeast-1 ROLE_NAME: oidc-reponame steps: - uses: actions/checkout@v4 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ env.AWS_REGION }} role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/${{ env.ROLE_NAME }} role-session-name: reponame-${{ github.run_id }}
記事:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": [
"repo:myorg/myrepo1:*",
"repo:myorg/myrepo2:*"
]
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
],
"Sid": "s3Sync"
}
]
}name: Sync to S3 on: push: branches: - main paths: - 'webroot/**' env: AWS_DEFAULT_REGION: ap-northeast-1 defaults: run: working-directory: example jobs: sync-to-s3: runs-on: ubuntu-latest permissions: id-token: write contents: read steps: - name: Checkout repo uses: actions/checkout@v4 - name: Configure AWS Credentials (OIDC) uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/oidc-github-myorg-s3-sync aws-region: ap-northeast-1 audience: https://github.com/myorg role-duration-seconds: 900 role-skip-session-tagging: true - name: Sync to S3 run: | aws s3 sync ./webroot/ s3://mybucket/webroot/ --delete --exact-timestamps
記事:
