How to Authenticate to Amazon EKS via OIDC in GitHub Actions
GitHub OIDC lets a workflow assume an IAM role with no stored AWS keys, after which aws eks update-kubeconfig writes cluster credentials.
Grant the job id-token: write, assume your IAM role with aws-actions/configure-aws-credentials, then run aws eks update-kubeconfig to wire kubectl to the cluster.
Steps
- Create an IAM OIDC provider for
token.actions.githubusercontent.comand a role trusting your repo. - Add
permissions: id-token: writeto the job. - Assume the role with
configure-aws-credentialsandrole-to-assume. - Run
aws eks update-kubeconfig --name <cluster> --region <region>.
Workflow
.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::111122223333:role/gha-eks-deploy
aws-region: us-east-1
- run: aws eks update-kubeconfig --name prod --region us-east-1
- run: kubectl get nodes
- run: kubectl apply -f k8s/Gotchas
- The IAM principal must also map to a Kubernetes group via an access entry or the aws-auth ConfigMap.
- Scope the trust policy to
repo:org/name:ref:refs/heads/mainso only main can assume the role.
Related guides
How to Authenticate to GKE via Workload Identity Federation in GitHub ActionsAuthenticate to Google Kubernetes Engine from GitHub Actions keylessly with Workload Identity Federation, the…
How to Authenticate to Azure AKS in GitHub ActionsAuthenticate to an Azure Kubernetes Service cluster from GitHub Actions with azure/login via OIDC, then pull…