Skip to content

Setting Permissions for the AWS Lambda deployment

Jump to bottom
James Kent edited this page Oct 16, 2025 · 1 revision

The region is typically us-east-1 Here’s a straightforward, copy-pasteable tutorial to wire up GitHub Actions → AWS with OIDC, and make CDK deployments work (including container/file asset publishing). It uses only the AWS web console plus a tiny bit of JSON you’ll paste into the console.

I’ll show it with your account ID 631329474511. Replace <REGION> with your target region (e.g., us-east-1).

0) Prereqs (quick checks)

  • You have a GitHub repo (e.g., MYORG/MYREPO).
  • The target AWS account is 631329474511, region is <REGION>.
  • CDK is bootstrapped in that account/region (CloudFormation stack CDKToolkit). If not, you (or a one-time admin) can run cdk bootstrap aws://631329474511/<REGION> later.

1) Add the GitHub OIDC provider (one-time)

Console path: IAM → Identity providersAdd provider

  • Provider type: OpenID Connect
  • Provider URL: https://token.actions.githubusercontent.com
  • Audience: sts.amazonaws.com Save.

You should now see an identity provider like: arn:aws:iam::631329474511:oidc-provider/token.actions.githubusercontent.com

2) Create the GitHubActionsLambdaDeployRole (trusted by OIDC)

Console path: IAM → RolesCreate role

  • Trusted entity type: Web identity

  • Identity provider: token.actions.githubusercontent.com

  • Audience: sts.amazonaws.com

  • Continue → Permissions (skip for now; we’ll add custom JSON next) → Name it:

    • Role name: GitHubActionsLambdaDeployRole → Create role.

2a) Tighten the trust policy (repo/branch scoping)

Open the new role → Trust relationshipsEdit trust policy → paste:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "Federated": "arn:aws:iam::631329474511:oidc-provider/token.actions.githubusercontent.com"
    },
    "Action": "sts:AssumeRoleWithWebIdentity",
    "Condition": {
      "StringEquals": {
        "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
      },
      "StringLike": {
        "token.actions.githubusercontent.com:sub": "repo:MYORG/MYREPO:ref:refs/heads/*"
      }
    }
  }]
}

Replace MYORG/MYREPO with your repo. If you want to lock to a single branch, set e.g. repo:MYORG/MYREPO:ref:refs/heads/main.

2b) Add permissions for CDK bootstrap checks + assuming CDK roles

On the same role → PermissionsAdd permissionsCreate policyJSON:

Policy A — read CDK bootstrap SSM parameter (version check)

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["ssm:GetParameter", "ssm:GetParameters"],
    "Resource": "arn:aws:ssm:*:631329474511:parameter/cdk-bootstrap/*"
  }]
}

Name it CDKBootstrapSSMReadAccess and Create policy. Back in the role, Attach this policy.

Policy B (inline) — allow assuming the three CDK bootstrap roles

Role → PermissionsAdd inline policyJSON:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": [
      "arn:aws:iam::631329474511:role/cdk-hnb659fds-deploy-role-631329474511-<REGION>",
      "arn:aws:iam::631329474511:role/cdk-hnb659fds-image-publishing-role-631329474511-<REGION>",
      "arn:aws:iam::631329474511:role/cdk-hnb659fds-file-publishing-role-631329474511-<REGION>"
    ]
  }]
}

Save as AllowAssumeCdkBootstrapRoles.

If you deploy to multiple regions, add one ARN per region or use wildcards like *-*. Exact ARNs are safer.

3) Make the CDK bootstrap roles trust your GitHub role

You’ll repeat this for three roles:

  • cdk-hnb659fds-deploy-role-631329474511-<REGION>
  • cdk-hnb659fds-image-publishing-role-631329474511-<REGION>
  • cdk-hnb659fds-file-publishing-role-631329474511-<REGION>

Console path: IAM → Roles → open each role → Trust relationshipsEdit trust policyAdd this statement (do not remove existing ones):

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::631329474511:role/GitHubActionsLambdaDeployRole"
  },
  "Action": "sts:AssumeRole"
}

Save on each role.

These roles come from the CDK bootstrap stack. If you don’t see them in the region you’re deploying to, bootstrap first (Step 5).

4) GitHub Actions workflow (uses OIDC to assume your role)

In your repo, add (or edit) .github/workflows/deploy.yml:

name: deploy
on:
  push:
    branches: [ main ]  # or your branch
permissions:
  contents: read
  id-token: write   # REQUIRED for OIDC

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS creds via OIDC
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::631329474511:role/GitHubActionsLambdaDeployRole
          aws-region: <REGION>

      - name: Who am I?
        run: aws sts get-caller-identity

      # build/publish CDK assets; then deploy
      - name: Install CDK
        run: npm i -g aws-cdk

      - name: CDK Deploy (no manual approval)
        run: cdk deploy --require-approval never

That’s it for GitHub. The action will:

  1. Get an OIDC token from GitHub → 2) Assume GitHubActionsLambdaDeployRole
  2. CDK will read /cdk-bootstrap/... SSM param → 4) Assume image-publishing/file-publishing/deploy roles → 5) Publish assets & deploy.

5) (If needed) Bootstrap the account/region for CDK

If those three CDK roles are missing in <REGION>, one-time bootstrap is required.

  • Temporarily use an admin session, or allow your GitHub role to run bootstrap once.

  • Run (locally or in CloudShell):

    npm i -g aws-cdk
cdk bootstrap aws://631329474511/<REGION>

  • After bootstrap, repeat Step 3 (add trust for your GitHub role to the three created roles).

6) Quick verification checklist

  • IAM → Identity providers: GitHub OIDC exists.

  • IAM → Roles:

    • GitHubActionsLambdaDeployRole trust = OIDC provider + repo/branch condition.

    • GitHubActionsLambdaDeployRole permissions:

      • CDKBootstrapSSMReadAccess (SSM read on /cdk-bootstrap/*)
      • inline AllowAssumeCdkBootstrapRoles (sts:AssumeRole on 3 ARNs)

    • Each CDK role trust includes your GitHubActionsLambdaDeployRole.

  • CloudFormation: CDKToolkit stack exists in <REGION> (modern bootstrap).

  • Re-run workflow: No more ssm:GetParameter or AssumeRole errors; asset publishing to ECR/S3 succeeds.

Common “gotchas” & fixes

  • “current credentials could not be used to assume …” → Either your GitHub role lacks sts:AssumeRole permission for that CDK role, or the CDK role’s trust policy doesn’t list your GitHub role. Fix Steps 2b + 3.

  • AccessDenied: ssm:GetParameter … /cdk-bootstrap/hnb659fds/version → Missing SSM read policy on your GitHub role. Add Policy A in Step 2b.

  • ecr:DescribeRepositories AccessDenied (during asset publish) → You didn’t successfully assume the image-publishing role; the base role doesn’t need ECR perms. Fix trust+assume per Steps 2b + 3.

  • Region mismatch → CDK roles and SSM param are per region. Make sure your workflow aws-region matches where CDKToolkit exists and where your stack deploys.

If you want, tell me your exact <REGION> and repo path, and I’ll return the three exact ARNs and finished JSON blocks with no placeholders.

Clone this wiki locally