Skip to content

aws-oidc

Comprehensive instructions for building secure, compliant Docker containers within Optum using golden images, SaaS Artifactory authentication, and enterprise best practices.

IDE:
claude
codex
vscode
Version:
0.0.0

Once OIDC is configured in the AWS utilizing the aws-oidc.chatmode.md, the following example workflows can be used to authenticate within a github CI/CD.

Basic Workflow Example

name: Deploy to AWS
on:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: uhg-runner
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>
          role-session-name: GitHubOIDCSession
          aws-region: us-east-1
          
      - name: Verify authentication
        run: |
          aws sts get-caller-identity
          aws s3api list-buckets --query 'Buckets[].Name'

Advanced Workflow with Multiple Environments

name: Multi-Environment Deployment
on:
  push:
    branches:
      - main
      - develop

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: uhg-runner
    strategy:
      matrix:
        environment: [dev, staging, prod]
        include:
          - environment: dev
            aws-role: arn:aws:iam::123456789012:role/github-action-role-dev
            condition: github.ref == 'refs/heads/develop'
          - environment: staging
            aws-role: arn:aws:iam::123456789012:role/github-action-role-staging
            condition: github.ref == 'refs/heads/main'
          - environment: prod
            aws-role: arn:aws:iam::987654321098:role/github-action-role-prod
            condition: github.ref == 'refs/heads/main' && github.event_name == 'workflow_dispatch'
    
    if: ${{ matrix.condition }}
    environment: ${{ matrix.environment }}
    
    steps:
      - uses: actions/checkout@v4
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ matrix.aws-role }}
          role-session-name: GitHubOIDCSession-${{ matrix.environment }}
          aws-region: us-east-1
          
      - name: Deploy to ${{ matrix.environment }}
        run: |
          echo "Deploying to ${{ matrix.environment }}"
          aws sts get-caller-identity

Integration with Optum Artifactory

name: Build, Scan, and Deploy
on:
  push:
    branches: [main]

permissions:
  actions: read
  contents: write
  pull-requests: write
  security-events: write
  checks: write
  id-token: write

jobs:
  build-and-deploy:
    runs-on: [uhg-runner]
    steps:
      - uses: actions/checkout@v4
      
      # Configure Artifactory
      - name: Configure Artifactory Connection
        id: artifactory-setup
        uses: uhg-pipelines/epl-jf/configure-saas-connection@latest
        with:
          jfrog-project-key: your-project-key
          npm-setup: true
          
      # Build and publish to Artifactory
      - name: Build and Scan
        uses: optum-eeps/epl-actions/node-build-scan@v1
        with:
          jfrog-project-key: your-project-key
          jfrog-build-name: ${{ steps.artifactory-setup.outputs.jfrog-build-name }}
          jfrog-build-number: ${{ steps.artifactory-setup.outputs.jfrog-build-number }}
          npm-publish: true
          
      # Configure AWS credentials
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
          role-session-name: GitHubOIDCSession
          aws-region: us-east-1
          
      # Deploy to AWS
      - name: Deploy to AWS
        run: |
          aws s3 sync ./dist s3://${{ secrets.S3_BUCKET }}/
          aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_ID }} --paths "/*"