Package io.github.cdklabs.cdkpipelines.github

Class GitHubActionRole

  • All Implemented Interfaces:
    software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
    @Generated(value="jsii-pacmak/1.62.0 (build 293ac17)",
           date="2022-07-16T00:20:23.451Z")
@Stability(Stable)
public class GitHubActionRole
extends software.constructs.Construct
    Creates or references a GitHub OIDC provider and accompanying role that trusts the provider.

    This role can be used to authenticate against AWS instead of using long-lived AWS user credentials stored in GitHub secrets.

    You can do this manually in the console, or create a separate stack that uses this construct. You must cdk deploy once (with your normal AWS credentials) to have this role created for you.

    You can then make note of the role arn in the stack output and send it into the Github Workflow app via the gitHubActionRoleArn property. The role arn will be arn:aws:iam::<accountId>:role/GithubActionRole.

    See Also:
    https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  GitHubActionRole.Builder
      A fluent builder for GitHubActionRole.

      • Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

        software.amazon.jsii.JsiiObject.InitializationMode

      • Nested classes/interfaces inherited from interface software.constructs.IConstruct

        software.constructs.IConstruct.Jsii$Default, software.constructs.IConstruct.Jsii$Proxy

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      static software.amazon.awscdk.services.iam.IOpenIdConnectProvider existingGitHubActionsProvider​(software.constructs.Construct scope)
      Reference an existing GitHub Actions provider.
      software.amazon.awscdk.services.iam.IRole getRole()
      The role that gets created.

      • Methods inherited from class software.constructs.Construct

        getNode, isConstruct, toString

      • Methods inherited from class software.amazon.jsii.JsiiObject

        jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

      • Methods inherited from interface software.amazon.jsii.JsiiSerializable

        $jsii$toJson

    • Constructor Detail

      • GitHubActionRole

        protected GitHubActionRole​(software.amazon.jsii.JsiiObjectRef objRef)

      • GitHubActionRole

        protected GitHubActionRole​(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

      • GitHubActionRole

        @Stability(Stable)
public GitHubActionRole​(@NotNull
                        software.constructs.Construct scope,
                        @NotNull
                        String id,
                        @NotNull
                        GitHubActionRoleProps props)
        Parameters:
        scope - This parameter is required.
        id - This parameter is required.
        props - This parameter is required.

    • Method Detail

      • existingGitHubActionsProvider

        @Stability(Stable)
@NotNull
public static software.amazon.awscdk.services.iam.IOpenIdConnectProvider existingGitHubActionsProvider​(@NotNull
                                                                                                       software.constructs.Construct scope)
        Reference an existing GitHub Actions provider.

        You do not need to pass in an arn because the arn for such a provider is always the same.

        Parameters:
        scope - This parameter is required.

      • getRole

        @Stability(Stable)
@NotNull
public software.amazon.awscdk.services.iam.IRole getRole()
        The role that gets created.

        You should use the arn of this role as input to the gitHubActionRoleArn property in your GitHub Workflow app.