This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Sample workflow to access AWS resources when workflow is tied to branch | |
| # The workflow Creates static website using aws s3 | |
| name: "my_corp_aws_action:repo:cider-research-testing/oidc-check:ref:refs/heads/main" | |
| on: | |
| workflow_dispatch: | |
| env: | |
| BUCKET_NAME: "aviad-oidc" | |
| AWS_REGION: "us-east-1" | |
| # permission can be added at job level or workflow level | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| S3PackageUpload: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Present OIDC claims | |
| - name: Show token | |
| run: | | |
| JWT=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | jq -r '.value') | |
| T=$(echo "$JWT" | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson') | |
| echo "$T" | jq | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@v3 | |
| with: | |
| role-to-assume: arn:aws:iam::050446384457:role/cider-oidc-aviad | |
| aws-region: ${{ env.AWS_REGION }} | |
| # Upload a file to AWS s3 | |
| - name: echo the date as a new file to the bucket; filename is the timestamp; list the bucket | |
| run: | | |
| echo "Hello, World!" > ./hello.txt | |
| # Use run id as file name | |
| aws s3 cp ./hello.txt s3://${{ env.BUCKET_NAME }}/$(date +%s) | |
| echo "[ === Bucket Content == ]" | |
| aws s3 ls s3://${{ env.BUCKET_NAME }} |