IAM Least Privilege for CI Deploy Roles

Scoped OIDC roles for GitHub Actions — no long-lived AWS keys in repository secrets.

Long-lived AWS_ACCESS_KEY_ID in GitHub secrets rotated quarterly — if someone remembered.

OIDC Trust

{
  "Effect": "Allow",
  "Principal": { "Federated": "arn:aws:iam::123:oidc-provider/token.actions.githubusercontent.com" },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringEquals": {
      "token.actions.githubusercontent.com:sub": "repo:org/islom-engineering-journal:ref:refs/heads/main"
    }
  }
}

Role Permissions

Deploy role gets s3:PutObject on one bucket prefix, cloudfront:CreateInvalidation on one distribution. Nothing else.

Build role gets ECR push to one repository. Separate roles per environment — staging role cannot touch production ARNs.

Audit: CloudTrail logs every assume-role with session-name = GitHub run ID.

security , aws , iam , ci-cd · AWS , GitHub Actions

More in Security