github_oidc

Provides functionality to create GitHub OpenID Connect providers and IAM roles that can be assumed by GitHub Actions workflows.

cdkit.srv.iam.github_oidc.create_github_oidc_provider(scope: Construct, id: str, url: str = 'https://token.actions.githubusercontent.com', client_id_list: list[str] | None = None, thumbprint_list: list[str] | None = None) → CfnOIDCProvider

Create a GitHub OIDC Provider in AWS IAM.

This function creates an OIDC provider configuration that allows GitHub Actions to authenticate with AWS using short-lived tokens instead of long-term credentials. The provider is configured with standard GitHub token URL and thumbprint.

Ref: https://github.com/aws-actions/configure-aws-credentials

cdkit.srv.iam.github_oidc.GITHUB_OIDC_PROVIDER_ARN = 'arn:aws:iam::${Token[AWS.AccountId.7]}:oidc-provider/token.actions.githubusercontent.com'

GitHub OIDC Provider ARN in AWS is always in this format.

cdkit.srv.iam.github_oidc.create_github_repo_main_iam_role_assumed_by(repo_patterns: str | List[str], federated: str = 'arn:aws:iam::${Token[AWS.AccountId.7]}:oidc-provider/token.actions.githubusercontent.com') → FederatedPrincipal

Create a FederatedPrincipal for GitHub OIDC authentication.

Creates an IAM FederatedPrincipal that allows GitHub Actions to assume the role via OIDC authentication.

Usage Example:

iam.Role(
    scope=...,
    id=...,
    role_name=...,
    assumed_by=create_github_repo_main_iam_role_assumed_by(
        repo_patterns=...,
        federated=...,
    ),
    inline_policies=inline_policies,
)

Parameters:

• repo_patterns – GitHub repository pattern(s) allowed to assume the role. Can be a single pattern string or a list of patterns. Example: “repo:organization/repo-name:” or [“repo:org/repo1:”, “repo:org/repo2:*”].

• federated – ARN of the OIDC provider. Defaults to GitHub’s OIDC provider.

class cdkit.srv.iam.github_oidc.GitHubOidcProviderParams(id: str = 'GitHubOidcProviderConstruct', github_oidc_provider_res_id: str = 'GitHubOidcProviderResource', url: str = 'https://token.actions.githubusercontent.com', client_id_list: list[str] = OPT, thumbprint_list: list[str] = OPT)

Parameters for creating a GitHub OIDC provider.

See GitHubOidcProvider

class cdkit.srv.iam.github_oidc.GitHubOidcProvider(*args: Any, **kwargs)

Construct for creating a GitHub OIDC provider in AWS IAM.

Parameters:

params – GitHubOidcProviderParams

class cdkit.srv.iam.github_oidc.SingleRoleWithInlinePolicyConstructParams(id: str = REQ, role_name: str = REQ)

class cdkit.srv.iam.github_oidc.GitHubOidcSingleAccountParams(id: str = 'GitHubOidcSingleAccountConstruct', role_name: str = REQ, github_repo_main_iam_role_res_id: str = 'GitHubRepoMainIamRole', repo_patterns: str | List[str] = REQ, federated: str = 'arn:aws:iam::${Token[AWS.AccountId.7]}:oidc-provider/token.actions.githubusercontent.com')

Parameters for creating a GitHub OIDC role in a single AWS account setup.

See GitHubOidcSingleAccount

class cdkit.srv.iam.github_oidc.GitHubOidcSingleAccount(*args: Any, **kwargs)

Construct for creating an IAM role assumable by GitHub Actions.

The role can be assumed directly by GitHub Actions and has the permission to perform deployment related AWS actions directly.

Parameters:

params – GitHubOidcSingleAccountParams

create_github_repo_main_iam_role_inline_policy_document() → PolicyDocument

Implement this method to return the inline policy document for the IAM role.

Example:

def ...(...) -> ...:
    return iam.PolicyDocument(
        statements=[
            iam.PolicyStatement(
                actions=...,
                resources=...,
            ),
        ],
    )

create_github_repo_main_iam_role()

Create the main IAM role that will be assumed by GitHub Actions.

Note

User can override this method to customize the IAM role creation.

class cdkit.srv.iam.github_oidc.GitHubOidcMultiAccountDevopsParams(id: str = 'GitHubOidcMultiAccountDevopsConstruct', role_name: str = REQ, github_repo_main_iam_role_res_id: str = 'GitHubRepoMainIamRole', repo_patterns: str | List[str] = REQ, workload_iam_role_arn_list: List[str] = REQ, federated: str = 'arn:aws:iam::${Token[AWS.AccountId.7]}:oidc-provider/token.actions.githubusercontent.com')

Parameters for creating a GitHub OIDC devops role in a multi AWS account setup.

See GitHubOidcMultiAccountDevops

class cdkit.srv.iam.github_oidc.GitHubOidcMultiAccountDevops(*args: Any, **kwargs)

Construct for creating a GitHub OIDC devops role in a multi AWS account setup.

This role can be assumed by GitHub Actions and has the permission to assume other roles in different AWS accounts.

Parameters:

params – GitHubOidcMultiAccountDevopsParams

create_github_repo_main_iam_role()

Create the main IAM role that will be assumed by GitHub Actions.

Note

User can override this method to customize the IAM role creation.

class cdkit.srv.iam.github_oidc.GitHubOidcMultiAccountWorkloadParams(id: str = 'GitHubOidcMultiAccountWorkloadConstruct', role_name: str = REQ, github_repo_workload_iam_role_res_id: str = 'GitHubRepoWorkloadIamRole', devops_iam_role_arn: str = REQ)

Parameters for creating a GitHub OIDC workload role.

See GitHubOidcMultiAccountWorkload

class cdkit.srv.iam.github_oidc.GitHubOidcMultiAccountWorkload(*args: Any, **kwargs)

Construct for creating a workload IAM role in a multi-account setup.

This role can be assumed by a devops IAM role, and it has the permission to perform deployment related AWS actions.

Parameters:

params – GitHubOidcMultiAccountWorkloadParams

create_github_repo_workload_iam_role_inline_policy_document() → PolicyDocument

Implement this method to return the inline policy document for the IAM role.

Example:

def ...(...) -> ...:
    return iam.PolicyDocument(
        statements=[
            iam.PolicyStatement(
                actions=...,
                resources=...,
            ),
        ],
    )

create_github_repo_workload_iam_role()

Create the main IAM role that will be assumed by GitHub Actions.

Note

User can override this method to customize the IAM role creation.