How to connect Github to AWS.

Options:

1. Create Access Keys under the root user and add them to the CI/CD as plain text.
2. Option 1 but use Github Secrets instead of plain text.
3. Create an IAM user and add Access Keys and add them to the CI/CD as plain text.
4. Option 3 but use Github Secrets instead of plain text.
5. None of the above.

Absolutely with 100% certainty option 5. Option 4 would be a very old style way of doing it.

Note: This is not specific to Github, the same process works with Gitlab CI too and can be used in Terraform Cloud. It is also not AWS specific.

The answer to this lies with a more modern piece of technology - OIDC (Open ID Connect). More info on how this technology works under the hood here.

You'll be forgiven for not knowing Microsoft brought this into Github, as the announcements around it weren't that widely spread.

Hypothetical Greenfield situation:

You have your first AWS Account, the CTO has given you the root credentials and you want to work with CI/CD from the early stages. You have Terraform established using your own IAM keys and plan to remove these ASAP. Your Github Organisation is called "wcorp".

Create an IAM role (with an arbitrary name, I use "ci") with the access to specific services you require. Import it into Terraform. You'd then need something along these lines in your Terraform code

resource "aws_iam_openid_connect_provider" "github" {
  url = "https://token.actions.githubusercontent.com"
  client_id_list = [
    "sts.amazonaws.com",
  ]
  thumbprint_list = [
    "3ea80e902fc385f36bc08193fbc678202d572994",
    "6938fd4d98bab03faadb97b34396831e3780aea1",
  ]
}        

The actual thumbprint may change over time (not frequently) so this may need updating occasionally. AWS explain how to get the thumbprint for the provider here.

Next you need to allow Github to assume this role. Your Assume Role policy should look a little like this

data "aws_iam_policy_document" "assume_role_ci" {
  statement {
    sid = "Github"

    effect  = "Allow"
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      identifiers = [aws_iam_openid_connect_provider.github.arn]
      type        = "Federated"
    }

    condition {
      test     = "StringLike"
      variable = "token.actions.githubusercontent.com:sub"
      values = [
        "repo:wcorp/*:*",
      ]
    }
  }

  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      identifiers = [
        "arn:aws:iam::$AWS_Account_ID:root",
        "arn:aws:iam::$AWS_Account_ID:role/ci"
      ]
      type = "AWS"
    }
  }
}        

Obviously replace $AWS_Account_ID with your actual Account ID. Also, be careful when adding the github repo access, something like "repo:*/*:*" would allow access to anyone with a Github account.

Test the access works. Once it does, remove the manual access via Terraform you relied on earlier.