GitHub OIDC
GitHub Actions workflows authenticate with AWS using OpenID Connect (OIDC). No long-lived access keys or secrets are stored in GitHub.
How it works
IAM roles
github-oidc-workflow-role — Upload role
Used by any Neulabs repository on the main branch to upload files to S3.
| Permission | Scope |
|---|---|
s3:ListBucket, s3:GetBucketLocation | neulabs-docs-swamp bucket |
s3:GetObject, s3:PutObject, s3:DeleteObject | All objects in neulabs-docs-swamp |
Trust condition: any repo in the neulabscom GitHub org, branch main.
github-oidc-deploy-role — Deploy role
Used exclusively by the neulabs-docubuilder repository to deploy CDK stacks.
| Permission | Scope |
|---|---|
cloudformation:* | All resources |
iam:PassRole | All resources |
s3:* | All resources |
ssm:GetParameter*, ssm:PutParameter* | All resources |
sts:AssumeRole | Only cdk-* roles in the account |
Trust condition: only neulabscom/neulabs-docubuilder repo, branch main.
GitHub variables required
| Variable | Used by | Value |
|---|---|---|
AWS_DOCS_ROLE_TO_ASSUME | upload-bootstrap.yml, upload-docs.yml | ARN of github-oidc-workflow-role |
AWS_DEPLOY_ROLE_ASSUME | deploy-infra.yml | ARN of github-oidc-deploy-role |
AWS_REGION | All workflows | eu-west-1 |