githubgithub-actionsgithub-secret

Passing secrets to GitHub Actions


I am trying to deploy a lambda function through GitHub actions and OIDC on AWS. It was working file when I hardcoded role-to-assume as a plain string. But this is not a ideal approach for me and I would like to parameterize it. I tried giving the AccountId as a secret and tried using it as a environment variable but it does not work. It gives a error saying Request ARN is invalid

Here is my workflow

name: AWS deploy CI/CD

on:
  push:
    branches: [ main ]

permissions:
  id-token: write
  contents: read

jobs:
  buildAndDeploy:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [14.x]
        
    steps:
      - name: Git clone the repository
        uses: actions/checkout@v3
      - name: Set up Node
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
      - run: npm ci
      - name: Run lint
        run: npm run lint
      - name: Build dist
        run: npm run build
      - name: Configure AWS Credentials
        env:
          ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::$ACCOUNT_ID:role/github-actions-role
      - name: Deploy to Lambda
        run: npm run deploy

enter image description here

Can someone tell me what I am doing wrong?


Solution

  • The following worked for me. For the ones who might run into the same topic, here is the solution. I removed assigning of the secrets to env variables and directly assigned them where necessary.

    name: AWS deploy CI/CD
    
    on:
      push:
        branches: [ main ]
    
    permissions:
      id-token: write
      contents: read
    
    jobs:
      buildAndDeploy:
    
        runs-on: ubuntu-latest
    
        strategy:
          matrix:
            node-version: [14.x]
            
        steps:
          - name: Git clone the repository
            uses: actions/checkout@v3
          - name: Set up Node
            uses: actions/setup-node@v3
            with:
              node-version: ${{ matrix.node-version }}
          - run: npm ci
          - name: Run lint
            run: npm run lint
          - name: Build dist
            run: npm run build
          - name: Configure AWS Credentials
            uses: aws-actions/configure-aws-credentials@v1
            with:
              aws-region: eu-west-1
              role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role
          - name: Deploy to Lambda
            run: npm run deploy -- --param="S3_BUCKET=${{ secrets.S3_BUCKET }}"