IAM Least Privilege for CI Deploy Roles
Scoped OIDC roles for GitHub Actions — no long-lived AWS keys in repository secrets.
Long-lived AWS_ACCESS_KEY_ID in GitHub secrets rotated quarterly — if someone remembered.
OIDC Trust
{
"Effect": "Allow",
"Principal": { "Federated": "arn:aws:iam::123:oidc-provider/token.actions.githubusercontent.com" },
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:sub": "repo:org/islom-engineering-journal:ref:refs/heads/main"
}
}
}
Role Permissions
Deploy role gets s3:PutObject on one bucket prefix, cloudfront:CreateInvalidation on one distribution. Nothing else.
Build role gets ECR push to one repository. Separate roles per environment — staging role cannot touch production ARNs.
Audit: CloudTrail logs every assume-role with session-name = GitHub run ID.
security , aws , iam , ci-cd · AWS , GitHub Actions