Metadata-Version: 2.1
Name: pahud-cdk-github-oidc
Version: 0.0.12
Summary: CDK construct library for Github OpenID Connect Identity Provider
Home-page: https://github.com/pahud/cdk-github-oidc.git
Author: Pahud Hsieh<pahudnet@gmail.com>
License: Apache-2.0
Project-URL: Source, https://github.com/pahud/cdk-github-oidc.git
Platform: UNKNOWN
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: JavaScript
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Typing :: Typed
Classifier: Development Status :: 5 - Production/Stable
Classifier: License :: OSI Approved
Requires-Python: >=3.6
Description-Content-Type: text/markdown
License-File: LICENSE

[![npm version](https://badge.fury.io/js/@pahud%2Fcdk-github-oidc.svg)](https://badge.fury.io/js/@pahud%2Fcdk-github-oidc)
[![PyPI version](https://badge.fury.io/py/pahud-cdk-github-oidc.svg)](https://badge.fury.io/py/pahud-cdk-github-oidc)
[![release](https://github.com/pahud/cdk-github-oidc/actions/workflows/release.yml/badge.svg)](https://github.com/pahud/cdk-github-oidc/actions/workflows/release.yml)

![cdk-constructs: Experimental](https://img.shields.io/badge/cdk--constructs-experimental-important.svg?style=for-the-badge)

# cdk-github-oidc

Inspired by [aripalo/aws-cdk-github-oidc](https://github.com/aripalo/aws-cdk-github-oidc), this construct library allows you to create a `Github OpenID Connect Identity Provider` trust relationship with the `Provider` construct as well as federated IAM roles for one or multiple Github repositories.

This construct is still in `experimental` stage and may have breaking changes. However, we aim to make this library as simple as possible.

## Sample

```python
# Example automatically generated. See https://github.com/aws/jsii/issues/826
from pahud.cdk_github_oidc import Provider

# create a new provider
provider = Provider(stack, "GithubOpenIdConnectProvider")
# create an IAM role from this provider
provider.create_role("demo-role", [owner="octo-org", repo="first-repo", owner="octo-org", repo="second-repo", owner="octo-org", repo="third-repo"
])
```

## Import the provider

Each AWS account can only have one GitHub OIDC identity provider. To import the existing one, use `Provider.fromAccount()`:

```python
# Example automatically generated. See https://github.com/aws/jsii/issues/826
# import the provider
provider = Provider.from_account(stack, "GithubOpenIdConnectProvider")
# create a iam role from the imported provider
provider.create_role(...)
```

## Workflow sample

```yaml
name: demo
on:
  workflow_dispatch: {}
jobs:
  deploy:
    name: Upload to Amazon S3
    runs-on: ubuntu-latest
    env:
      AWS_REGION: us-east-1
    permissions:
      id-token: write # needed to interact with GitHub's OIDC Token endpoint.
      contents: read
    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@master
      with:
        role-to-assume: ${{ secrets.AWS_ROLE_ARN_TO_ASSUME }}
        aws-region: ${{ env.AWS_REGION }}

    - name: Sync files to S3
      run: |
        aws s3 sync ./ s3://${{ secrets.AWS_BUCKET }}
```

## Projects using this library

* [pahud/gitpod-workspace](https://github.com/pahud/gitpod-workspace)
* [pahud/github-codespace](https://github.com/pahud/github-codespace)
* [pahud/vscode](https://github.com/pahud/vscode)

## Reference

* [Configuring OpenID Connect in Amazon Web Services](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) from GitHub Docs
* [aripalo/aws-cdk-github-oidc](https://github.com/aripalo/aws-cdk-github-oidc) by [Ari Palo](https://github.com/aripalo)


