Connect GitHub with AWS
To have your GitHub repository talk to your AWS account, you need to connect both for a secure and passwordless communication.
The technology to enable that is called OpenID Connect. With this, AWS allows GitHub to create a token which is then validated when GitHub tries to access your AWS account (simplified).
Semi automatic way
The cdk-remix-setup repository does contain a CDK setup which could be used to prepare your AWS account to be ready to be used for a Remix application.
It is a script which guides you through creating the OpenID Connect setup.
Manual way
If you prefer to manually connect your GitHub account with your AWS account, follow these steps:
In your AWS account you need to create an OpenID Connect Provider and attach a role to it which configures your GitHub repository to allow access. The ARN of this role is then setup in GitHub to allow it to assume the role to communicate with your AWS account.
AWS provides a Cloudformation template for this. Go to your AWS account, select the Cloudformation service and create new stack with that template.
This stack has four parameters
- GitHubOrg: The organization in which your repository is located
- RepositoryName: The repositories that needs to access AWS.
- OIDCProviderArn: You can leave this empty. AWS will provide the ARN if you don't add anything here.
- OIDCAudience: You can keep the default.
After the Stack ran through, you need to find the role in IAM and add permissions. The scope of the permissions depend on what you want to execute with the CDK. Tha admin rights will work, but the 'principal of least privilege' could be considered.
After you run the template you will find under output the OIDCProviderArn you can add to GitHub.
It has to be to the AWS OpenID Provider role to connect GitHub and AWS.
Read the docs for further information.