AWS
This activity demonstrates how to create a CI/CD pipeline that will copy a GitHub repo to an S3 bucket whenever you run git push origin main. Once the code is moved to an S3 bucket you could build a pipeline in AWS to deploy it in many ways. The optional steps in the activity demonstrate how to publish the S3 bucket as a static website.
Set up a Repo
Create a GitHub repo and put a very simple index.html file in it.
Create an S3 Bucket
- Create a bucket
Optional - Configure the Bucket for Static Website Hosting
If you want to host a static website site from an S3 bucket, then you need to uncheck the box to Block All Public Access (you can do this when creating the bucket, or by going to the bucket properties tab)
- If you block all public access, then it will override any bucket policy that you assign to the bucket
- If you uncheck the box to Block All Public Access, the bucket remains private, so if you want to use if to serve a website, you need to create a bucket policy that allows read access to the public:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"Allow Public Read",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME-GOES-HERE/*"
}
]
}
To serve a website from the bucket:
- Go to the bucket properties
- Scroll down to the Static Website Hosting section and click Edit
- Select Enable
- Set the Index Document to index.html
- Then you can get the URL for it by looking at the Bucket Website Endpoint
Create an Identity Provider
An Identity Provider allows you to let an external system handle authentication, and AWS trusts it. In this case we'll tell AWS to trust Github
- Go to the IAM dashboard
- Click on Identity Providers in the left nav
- Click Add Provider
- Select OpenID Connect
- For the Provider URL, enter https://token.actions.githubusercontent.com
- For the Audience, enter sts.amazonaws.com
- Click Add Provider
Create an IAM Role for GitHub Actions
- In the IAM dashboard, click Roles (in the left nav)
- Click Create Role
- Select Web Identity
- For the Provider, select the provider you created in the previous step (token.actions.githubusercontent.com)
- For the Audience, select sts.amazonaws.com
- For the GitHub Organization, enter your GitHub username
- Optional - for the GitHub Repository you could enter the name of your repo, but then I think the role could only be used for that repo
- Click Next
- You could add a managed policy that allows S3FullAccess, but it would be better to create a custom policy that allows only the permissions needed (do this after the role is created)
- Enter a role name (like GitHubAccessRole)
- Click Create Role
- In the Permissions tab of the new role, click the Add Permissions drop down and choose Create Inline Policy
- For the Service, select S3
- Click the JSON button (to add a JSON policy)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::BUCKET-NAME-GOES-HERE"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::BUCKET-NAME-GOES-HERE/*"
}
]
}
Add a deploy.yml to the repository
- Create a .github folder in the repository folder
- Create a workflows folder in the .github folder
- Create a deploy.yml file in the workflows folder
- Put this in the deploy.yml file:
- Set the ARN of the role
- Set the region
- Set the bucket name
name: Deploy to S3
on:
push:
branches:
- main # OR master ???
permissions:
id-token: write # Required for OIDC
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
# SET THIS TO THE ARN OF THE ROLE:
role-to-assume: PUT TH ARN OF YOUR GITHUB ROLE HERE
# MAKE SURE THE REGION IS CORRECT:
aws-region: us-east-2
# USE YOUR BUCKET NAME (below)
- name: Sync to S3
run: |
aws s3 sync . s3://BUCKET-NAME-GOES-HERE/ --exclude ".git/*"