Setup
- download the AWS CLI
- create new IAM user
- gave permission
AmazonS3FullAccess - get access key and secret key
- gave permission
- pick/create a bucket
- under bucket settings, uncheck the block all public access (checked by default)
- static website
- bucket → properties → enable static website hosting
In the project
- create new project with react + vite & npm install
- install aws sdk for javascript
- https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html
- installing the sdk for javascript
npm init -y,npm i aws-sdk
- configure aws cli
Important parts
-
setup CloudFront
- why?
- static website gets cached at many edge locations (servers around the world).
- automatic HTTPS
- makes your website load faster, safer, and protects it better — without you having to do anything extra
- why?
-
Use IAM roles to connect GitHub Actions to actions in AWS
- docs, medium post
- removes the need for IAM user access keys
- configured a specific GitHub repo to assume an individual role in an AWS account to preform changes
- added custom policy to the role
AWS_SECRET_ACCESS_KEY
1IKDkEA5NktvpXyzqZHKIRvnvPxnjYJIDMVWxFUU
AWS_ACCESS_KEY_ID
AKIA5FCD6A4FLRWJ6S6K
IAM and OIDC
-
Identity Provider
- GitHub is acting as the identity provider.
- OIDC (OpenID Connect) is just the standard protocol GitHub uses to prove, “Hey, this request is really coming from GitHub Actions.”
- example
- GitHub → “I am GitHub, and this action is running for this repo and branch.”
- OIDC → The official language GitHub uses to say that.
- AWS → “Okay, because I trust GitHub (via OIDC), I’ll let this role be assumed.”
-
IAM Role
- A special IAM role (
GitHubAction-AssumeRoleWithAction) that GitHub can “assume” to get temporary AWS permissions. - Here, we attach a trust policy (under
Trust Relationships)- a special JSON document attached to an IAM Role
- defines who is allowed to assume (use) that IAM Role
- A special IAM role (
-
Security best practice: No long-term AWS keys needed