Ugly Green Logo

Container Registry

Download Website

GitHub Organization

Slack Workspace

March 27, 2022

GitHub OpenID with AWS CDK

by John Lukach

I have started using GitHub Actions to trigger a few workflows in my AWS environment where I wanted to set up an OpenID connection to get out of credential management.

I did not see a Python example using Amazon Web Services (AWS) Cloud Development Kit (CDK); thus wanted to share a code snippet to accomplish this task. Remember to follow the practice of least privilege for any permissions you attach to this role.

provider = _iam.OpenIdConnectProvider(
  self, 'provider',
  url = '',
  client_ids = [

role = _iam.Role(
  self, 'role',
  assumed_by = _iam.WebIdentityPrincipal(
      'StringLike': {
        '': 'repo:organization/repository:*'

Finally, here is how to access the AWS Role with a GitHub Action from a push event. I am using a GitHub Secret, so the IAM Role ARN is not disclosed.

name: AWS Authenication
    branches: [ main ]
    runs-on: ubuntu-latest
      id-token: write
      contents: read
      - name: AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
          role-to-assume: $
          aws-region: us-east-2
tags: AWS - CDK - GitHub - OpenID