如何使用 github 操作 OIDC 功能在 github 操作中使用无服务器框架

【问题标题】:How to use serverless framework in github actions using github actions OIDC feature如何使用 github 操作 OIDC 功能在 github 操作中使用无服务器框架
【发布时间】:2021-11-26 09:56:33
【问题描述】:

我关注了这个问题How can I connect GitHub actions with AWS deployments without using a secret key?

但是我试图通过使用无服务器部署 lambda 函数更进一步。

到目前为止我已经尝试过什么。

name: For Production

on:
  push:
    branches: [main]
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    strategy:
      matrix:
        node-version: [16.x]
        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/

    steps:
      - uses: actions/checkout@v2
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v2
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
          cache-dependency-path: ./backend-operations/package-lock.json
      - name: Create env file
        run: |
          touch ./backend-operations/.env
          echo JWKS_URI=${{secrets.JWKS_URI}} >> ./backend-operations/.env
          echo AUDIENCE=${{ secrets.AUDIENCE }} >> ./backend-operations/.env
          echo TOKEN_ISSUER=${{ secrets.TOKEN_ISSUER }} >> ./backend-operations/.env
      - run: npm ci
        working-directory: ./backend-operations
      - run: npm run build --if-present
        working-directory: ./backend-operations
      - run: npm test
        working-directory: ./backend-operations
      - name: Install Serverless Framework
        run: npm install -g serverless
      - name: Configure AWS
        run: |
          sleep 5 # Need to have a delay to acquire this
          export AWS_ROLE_ARN=arn:aws:iam::xxxxxxx:role/my-role
          export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
          export AWS_DEFAULT_REGION=ap-southeast-1

          echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
          echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
          echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV

          curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=githubactions" \
            | jq -r '.value' > $AWS_WEB_IDENTITY_TOKEN_FILE
            
          sls deploy --stage prod --verbose
        working-directory: './backend-operations'
      
      # - name: Deploy to AWS
      #   run: serverless deploy --stage prod --verbose
      #   working-directory: './backend-operations'
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v1
        with:
          token: ${{secrets.CODECOV_SECRET_TOKEN}}

【问题讨论】:

  • 看看卷曲的结果是什么;可能有错误。
  • 我已经添加了一个答案,github OIDC 的令牌端点也发生了变化,你介意在你的堆栈帖子中更新吗?\

标签: amazon-web-services github-actions serverless-framework


【解决方案1】:

我使用aws-actions/configure-aws-credentials github 操作解决了这个问题,因为它将临时访问密钥和 id 设置为环境。 因此,无需从这里创建 aws programmticv 密钥。

注意:- github OIDC 最新更新已更改域名-> https://token.actions.githubusercontent.com

# This workflow will do a clean install of node dependencies, cache/restore them, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions

name: Production-Deployment

on:
  push:
    branches: [main]
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read

    strategy:
      matrix:
        node-version: [16.x]
        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/

    steps:
      - uses: actions/checkout@v2
      - name: Use Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v2
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'npm'
          cache-dependency-path: ./backend-operations/package-lock.json
      - name: Create env file
        run: |
          touch ./backend-operations/.env
          echo JWKS_URI=${{secrets.JWKS_URI}} >> ./backend-operations/.env
          echo AUDIENCE=${{ secrets.AUDIENCE }} >> ./backend-operations/.env
          echo TOKEN_ISSUER=${{ secrets.TOKEN_ISSUER }} >> ./backend-operations/.env
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: ap-southeast-1
          role-to-assume: ${{secrets.ROLE_ARN}}
      - run: npm ci
        working-directory: ./backend-operations
      - run: npm run build --if-present
        working-directory: ./backend-operations
      - run: npm test
        working-directory: ./backend-operations
      - name: Install Serverless Framework
        run: npm install -g serverless
      - name: Serverless Authentication
        run: sls config credentials --provider aws --key ${{ env.AWS_ACCESS_KEY_ID }} --secret ${{ env.AWS_SECRET_ACCESS_KEY }}
      - name: Deploy to AWS
        run: serverless deploy --stage prod --verbose
        working-directory: './backend-operations'
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v1
        with:
          token: ${{secrets.CODECOV_SECRET_TOKEN}}

【讨论】:

    猜你喜欢
    • 2023-02-14
    • 2021-09-22
    • 2020-11-18
    • 1970-01-01
    • 1970-01-01
    • 2020-06-14
    • 2021-12-20
    • 2020-10-10
    • 2020-06-03
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode