Skip to content

feat: support OIDC invalidate cloudfront #259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jirimoravcik merged 2 commits into from
Mar 11, 2026
Merged

feat: support OIDC invalidate cloudfront #259

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
282b2fc
feat: support OIDC invalidate cloudfront
jirimoravcik Mar 11, 2026
e6b4874
better default
jirimoravcik Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 37 additions & 2 deletions .github/workflows/invalidate_cloudfront.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,16 @@ on:
description: AWS IAM role ARN
required: false
type: string
useOIDC:
description: Whether to use OIDC for assume role
required: false
type: boolean
default: false
githubOIDCRoleArn:
description: Github OIDC role ARN
required: false
type: string
default: ""
awsRegion:
description: AWS region
required: false
Expand All @@ -42,10 +52,10 @@ on:
secrets:
awsAccessKeyId:
description: AWS access key ID
required: true
required: false
awsSecretAccessKey:
description: AWS secret access key
required: true
required: false
slackToken:
description: Slack API token
required: false
Expand All @@ -55,6 +65,7 @@ jobs:
runs-on: ubuntu-22.04-arm64
steps:
- name: assume IAM role
if: inputs.useOIDC == false
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.awsAccessKeyId }}
Expand All @@ -67,6 +78,30 @@ jobs:
# which does not work for cross-account assume
role-skip-session-tagging: true

# First assume GithubOIDCRole role, the trust relationship between GitHub and AWS is defined in IAM GithubOIDCRole in the organization account. This role has permissions to assume Deployer roles only.
- name: assume GithubOIDCRole
if: inputs.useOIDC == true
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ inputs.awsRegion }}
role-to-assume: ${{ inputs.githubOIDCRoleArn }}
role-duration-seconds: ${{ inputs.awsSessionDuration }}

# This parameter is needed otherwise this action is trying to tag session
# which does not work for cross-account assume
role-skip-session-tagging: true

# Then assume Deployer role, which can be assumed by GithubOIDCRole and has all the permissions needed.
- name: assume Deployer role
if: inputs.useOIDC == true
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ inputs.awsRegion }}
role-to-assume: ${{ inputs.awsRoleArn }}
role-duration-seconds: ${{ inputs.awsSessionDuration }}
role-chaining: true
role-skip-session-tagging: true

- name: invalidate
run: |
echo ">>> Invalidating path ${{ inputs.path }} of distribution ${{ inputs.distributionId }}"
Expand Down
Loading