Decide on IAM Roles for GitHub Action Runners
Problem
In order for GitHub Actions runners to be able to access AWS resources, they need to be able to assume an IAM role. The trust relationship of this IAM role depends on how the Runners are hosted:
-
GitHub-hosted Runners: Need to GitHub's OIDC Provider
-
Self-hosted Runners on EKS: Need to use the EKS OIDC Provider (See: IRSA)
-
Self-hosted Runners on EC2: Need to have an Instance Profile
Regardless of the trust relationship, the IAM roles themselves need to be defined.GitHub Action Workflows regularly use third-party actions. These actions execute on the self-hosted runners and have whatever access the runners have, including VPC connectivity and IAM permissions.
Considered Options
Some possible configurations (and combinations thereof) include:
-
A Runner without any IAM roles (e.g. for unit tests in a CI pipeline).
-
A Runner with access to
dev
and/orsandbox
(e.g. for integration tests). -
A Runner with access to ECR in the
artifacts
account. -
A Runner with access to S3 buckets in SDLC accounts, and those S3 buckets allowing the role via an S3 bucket policy.
-
A Runner with access to EKS (e.g. if ArgoCD is not used and push-based deployments are required).