Skip to content
Latchkey

How to Deploy With AWS CDK in GitHub Actions

Install dependencies, then run cdk deploy --require-approval never so the pipeline applies changes without an interactive prompt.

After OIDC auth, run npx cdk deploy with --require-approval never so security-sensitive changes do not block the run. The target account/region must already be bootstrapped (cdk bootstrap).

Steps

  • Bootstrap the target environment once with cdk bootstrap (outside CI).
  • Install dependencies in the workflow.
  • Authenticate to AWS over OIDC.
  • Run npx cdk deploy --all --require-approval never.

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/gha-cdk-deploy
          aws-region: us-east-1
      - run: npx cdk deploy --all --require-approval never

Gotchas

  • A missing bootstrap stack fails with This stack uses assets, so the toolkit stack must be deployed.
  • The deploy role must be allowed to assume the CDK file-publishing and deploy roles created by bootstrap.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →