---
title: GitHub Actions OIDC 与 AWS ECR 无密钥推送实践
keywords: OIDC, id-token, configure-aws-credentials@v4, ECR login, docker push
description: 使用 OIDC 在 GitHub Actions 中无密钥获取 AWS 凭证,登录 ECR 并推送镜像,提升安全性与可维护性。
categories:
- 文章资讯
- 技术教程
---
IAM 信任策略(示例):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:ORG/REPO:*"
}
}
}
]
}
GitHub Actions 工作流:
name: build-and-push
on:
push:
branches: ["main"]
permissions:
id-token: write
contents: read
jobs:
push:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsECR
aws-region: us-east-1
- uses: aws-actions/amazon-ecr-login@v2
- run: |
ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
IMAGE="$ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/app"
docker build -t "$IMAGE:latest" .
docker push "$IMAGE:latest"
发表评论 取消回复