Create GitHub Actions Role

1. Go to AWS IAM console.

2. In the left sidebar,

• Choose Identity providers.
• Click Add provider.

3. In the Configure provider section,

• For Provider type, select OpenID Connect.
• For Provider URL, enter https://token.actions.githubusercontent.com.
• For Audience, enter sts.amazonaws.com.

4. Scroll down to the bottom, click Add provider.

5. Back to AWS IAM console.

6. In the left sidebar,

• Choose Policies.
• Click Create policy.

7. In the Policy editor section,

• Select JSON tab.
• Fill out the following policy. Replace <YOUR-AWS-ACCOUNT-ID> with yours.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPushPull",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart",
                "ecr:DescribeImages"
            ],
            "Resource": "arn:aws:ecr:us-east-1:<YOUR-AWS-ACCOUNT-ID>:repository/awsome-books"
        },
        {
            "Sid": "GetAuthorizationToken",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Sid": "RegisterAndDescribeTaskDefinition",
            "Effect": "Allow",
            "Action": [
                "ecs:RegisterTaskDefinition",
                "ecs:DescribeTaskDefinition"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PassRolesInTaskDefinition",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskRole",
                "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/ecsTaskExecutionRole"
            ]
        },
        {
            "Sid": "DeployService",
            "Effect": "Allow",
            "Action": [
                "ecs:UpdateService",
                "ecs:DescribeServices",
                "codedeploy:GetDeploymentGroup",
                "codedeploy:CreateDeployment",
                "codedeploy:GetDeployment",
                "codedeploy:GetDeploymentConfig",
                "codedeploy:RegisterApplicationRevision"
            ],
            "Resource": [
                "arn:aws:ecs:us-east-1:<YOUR-AWS-ACCOUNT-ID>:service/fcj/awsome-books",
                "arn:aws:codedeploy:us-east-1:<YOUR-AWS-ACCOUNT-ID>:deploymentgroup:AppECS-fcj-awsome-books/DgpECS-fcj-awsome-books",
                "arn:aws:codedeploy:us-east-1:<YOUR-AWS-ACCOUNT-ID>:deploymentconfig:*",
                "arn:aws:codedeploy:us-east-1:<YOUR-AWS-ACCOUNT-ID>:application:AppECS-fcj-awsome-books"
            ]
        }
    ]
}

8. Scroll down to the bottom, click Next.

9. In the Policy details section, enter gha-policy for Policy name.

10. Scroll down to the bottom, click Create policy.

11. Back to AWS IAM console.

12. In the left sidebar,

• Choose Roles.
• Click Create role.

13. In the Trusted entity type section, select Web identity.

14. In the Web identity section,

• For Identity provider, select token.actions.githubusercontent.com.
• For Audience, select sts.amazonaws.com.
• For GitHub organization, enter fcj-workshops-2024.
• For GitHub repository, enter awsome-books.
• Click Next.

15. In the Permissions policies section,

• Filter with value gha-policy.
• Select gha-policy policy.
• Click Next.

16. In the Role details section, enter gha-role for Role name.

17. Scroll down to the bottom, click Create role.

18. Note down the role ARN you just created — you may need it later!