Closed CodySwannGT closed 1 year ago
metaskills
commented
1 year ago The basic aws-actions/configure-aws-credentials is supposed to be a starting point. For example, folks may want to add multi-stage deployments to the workflow or other things special to their needs. I think OpenID could be one of these. It is a great idea for some folks, maybe more, but is it something that should be in a basic starter? Thoughts?
CodySwannGT
commented
1 year ago @metaskills definitely a fair point without a definitive answer. The only thing I would add is that both GH and AWS are starting to say it's bad to put credentials directly in the repository.
We're bumping up against that with a security audit at the moment.
metaskills
commented
1 year ago Understood, out of curiosity... when you say "put credentials directly in the repository"... does this includes GitHub encrypted secrets as secure environment variables? Typically when I hear that term folks mention about adding keys right in the git history/repo. Just wanted to make sure I understood fully. Thanks!
CodySwannGT
commented
1 year ago @metaskills - yes. Sorry. That was unclear. I was referring to encrypted secrets.
metaskills
commented
1 year ago Wow, thanks. I understand too. I think OIDC is 100% the way. I should add some explication (and forceful) documentation to docs and starter here making it clear that this action should be temporary. So gonna leave this open as a reminder.
metaskills
commented
1 year ago Closing this out, I added some language about OpenID in the guides during this work. https://github.com/customink/lamby-site/pull/60
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services