docs

docs copied to clipboard

The examples of how to use the aws credentials action assume that one is specifying AWS credentials via environment variables.

However, the action aws-actions/configure-aws-credentials also supports AWS role assumption via OIDC, which my org is using. In that case, it’s then necessary to specify permissions for the job so that the credentials action will succeed.

And once you’re configuring the permissions, you’ve overridden the defaults, so you have to then specify additional permissions so that the job can check out the repo and so the Pulumi action can post comments back to the PR.

I had to figure this out by trial and error; you might want to add it to the docs.

For example:

  pulumi:
    needs: unit-tests
    runs-on: ubuntu-20.04
    permissions:
      id-token: write  # needed by configure-aws-credentials
      contents: read  # this is in the set of default permissions but we’re overriding the defaults
      pull-requests: write  # so as to upsert results as PR comments
      issues: write  # so as to upsert results as PR comments (maybe)
    steps:
      ...
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          # 123456 is our AWS Organizations Management Account
          role-to-assume: arn:aws:iam::123456:role/pulumi-github-actions
          aws-region: us-west-2