IAM 信任策略(示例):{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" }, "StringLike": { "token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*" } } } ] } GitHub Actions 工作流:name: build-and-push on: push: branches: ["main"] permissions: id-token: write contents: read jobs: push: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsECR aws-region: us-east-1 - uses: aws-actions/amazon-ecr-login@v2 - run: | ACCOUNT=$(aws sts get-caller-identity --query Account --output text) IMAGE="$ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/app" docker build -t "$IMAGE:latest" . docker push "$IMAGE:latest"
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复