How to Deploy an AWS Lambda with SAM in GitHub Actions
SAM packages your Lambda and CloudFormation stack together; OIDC keeps AWS credentials out of your secrets entirely.
Assume an IAM role with aws-actions/configure-aws-credentials over OIDC, then run sam build and sam deploy --no-confirm-changeset.
Steps
- Create an IAM role trusting GitHub OIDC and store its ARN as
AWS_ROLE_ARN. - Add
permissions: id-token: writeso the runner can request the OIDC token. - Set up the SAM CLI and Python/Node toolchain.
- Run
sam buildthensam deploynon-interactively.
Workflow
.github/workflows/sam-deploy.yml
name: Deploy SAM
on:
push:
branches: [main]
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
- uses: aws-actions/setup-sam@v2
- run: sam build
- run: sam deploy --no-confirm-changeset --no-fail-on-empty-changesetNotes
- Use a stored
samconfig.tomlso the stack name and bucket are pinned, not re-prompted. - On Latchkey runners the deploy step runs cheaper and self-heals if the runner is interrupted.
Related guides
How to Deploy with the Serverless Framework in GitHub ActionsDeploy a Serverless Framework service to AWS from GitHub Actions per stage, authenticating with OIDC and sele…
How to Authenticate to AWS With OIDC in GitHub ActionsGet short-lived AWS credentials in GitHub Actions via OIDC and aws-actions/configure-aws-credentials, removin…