Decide on IAM Roles for GitHub Action Runners

Problem

In order for GitHub Actions runners to be able to access AWS resources, they need to be able to assume an IAM role. The trust relationship of this IAM role depends on how the Runners are hosted:

• GitHub-hosted Runners: Need to GitHub's OIDC Provider

• Self-hosted Runners on EKS: Need to use the EKS OIDC Provider (See: IRSA)

• Self-hosted Runners on EC2: Need to have an Instance Profile

Regardless of the trust relationship, the IAM roles themselves need to be defined.GitHub Action Workflows regularly use third-party actions. These actions execute on the self-hosted runners and have whatever access the runners have, including VPC connectivity and IAM permissions.

Considered Options

Some possible configurations (and combinations thereof) include:

• A Runner without any IAM roles (e.g. for unit tests in a CI pipeline).

• A Runner with access to dev and/or sandbox (e.g. for integration tests).

• A Runner with access to ECR in the artifacts account.

• A Runner with access to S3 buckets in SDLC accounts, and those S3 buckets allowing the role via an S3 bucket policy.

• A Runner with access to EKS (e.g. if ArgoCD is not used and push-based deployments are required).

Related Decisions

• Decide on IAM Roles for GitHub Action Runners
• Decide on Self-Hosted GitHub Runner Strategy
• Decide on Strategy for Continuous Integration
• Decide on GitHub Actions Workflow Organization Strategy