Skip to content
Latchkey

How to Deploy an AWS Lambda with SAM in GitHub Actions

SAM packages your Lambda and CloudFormation stack together; OIDC keeps AWS credentials out of your secrets entirely.

Assume an IAM role with aws-actions/configure-aws-credentials over OIDC, then run sam build and sam deploy --no-confirm-changeset.

Steps

  • Create an IAM role trusting GitHub OIDC and store its ARN as AWS_ROLE_ARN.
  • Add permissions: id-token: write so the runner can request the OIDC token.
  • Set up the SAM CLI and Python/Node toolchain.
  • Run sam build then sam deploy non-interactively.

Workflow

.github/workflows/sam-deploy.yml
name: Deploy SAM
on:
  push:
    branches: [main]
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          aws-region: us-east-1
      - uses: aws-actions/setup-sam@v2
      - run: sam build
      - run: sam deploy --no-confirm-changeset --no-fail-on-empty-changeset

Notes

  • Use a stored samconfig.toml so the stack name and bucket are pinned, not re-prompted.
  • On Latchkey runners the deploy step runs cheaper and self-heals if the runner is interrupted.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →