GitHub Actions OIDC 与 AWS ECR 无密钥推送实践

YBB 5 阅读 0 评论 0 点赞

IAM 信任策略（示例）：{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"

"Action": "sts:AssumeRoleWithWebIdentity",

"Condition": {

"StringEquals": {

"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"

"StringLike": {

"token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"

}

]

}

GitHub Actions 工作流：name: build-and-push

on:

push:

branches: ["main"]

permissions:

id-token: write

contents: read

jobs:

push:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v4

- uses: aws-actions/configure-aws-credentials@v4

with:

role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsECR

aws-region: us-east-1

- uses: aws-actions/amazon-ecr-login@v2

- run: |

ACCOUNT=$(aws sts get-caller-identity --query Account --output text)

IMAGE="$ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/app"

docker build -t "$IMAGE:latest" .

docker push "$IMAGE:latest"

点赞(0) 打赏

本文分类：CI-CD
本文标签：OIDC id-token configure-aws-credentials@v4 ECR login dockerpush
浏览次数：5 次浏览
发布日期：2026-02-12 23:43:09
本文链接：https://www.ybb.press/ci-cd/1272.html

上一篇 > GitHub Actions CI 性能优化（Matrix、缓存、并行与条件执行）
下一篇 > GitHub Actions OIDC 与跨云临时凭证最小权限（2025）

GitHub Actions OIDC 与 AWS ECR 无密钥推送实践

on:

push:

permissions:

jobs:

push:

steps:

with:

评论列表共有 0 条评论

发表评论取消回复

GitHub Actions OIDC 与 AWS ECR 无密钥推送实践

on:

push:

permissions:

jobs:

push:

steps:

with:

安全认证与授权：OAuth2/OIDC与JWT最佳实践

动态客户端注册治理：OIDC/OAuth客户端创建与撤销

Node.js npm provenance 与包完整性验证最佳实践

SSO协议选型：SAML与OIDC对比

评论列表 共有 0 条评论

发表评论 取消回复

评论列表共有 0 条评论

发表评论取消回复