feat: support OIDC invalidate cloudfront (#259)

jirimoravcik · web-flow · commit 974611ad9645 · 2026-03-11T10:39:27.000+01:00
diff --git a/.github/workflows/invalidate_cloudfront.yaml b/.github/workflows/invalidate_cloudfront.yaml
@@ -16,6 +16,16 @@ on:
         description: AWS IAM role ARN
         required: false
         type: string
+      useOIDC:
+        description: Whether to use OIDC for assume role
+        required: false
+        type: boolean
+        default: false
+      githubOIDCRoleArn:
+        description: Github OIDC role ARN
+        required: false
+        type: string
+        default: ""
       awsRegion:
         description: AWS region
         required: false
@@ -42,10 +52,10 @@ on:
     secrets:
       awsAccessKeyId:
         description: AWS access key ID
-        required: true
+        required: false
       awsSecretAccessKey:
         description: AWS secret access key
-        required: true
+        required: false
       slackToken:
         description: Slack API token
         required: false
@@ -55,6 +65,7 @@ jobs:
     runs-on: ubuntu-22.04-arm64
     steps:
       - name: assume IAM role
+        if: inputs.useOIDC == false
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.awsAccessKeyId }}
@@ -67,6 +78,30 @@ jobs:
           # which does not work for cross-account assume
           role-skip-session-tagging: true
 
+      # First assume GithubOIDCRole role, the trust relationship between GitHub and AWS is defined in IAM GithubOIDCRole in the organization account. This role has permissions to assume Deployer roles only.
+      - name: assume GithubOIDCRole
+        if: inputs.useOIDC == true
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ inputs.awsRegion }}
+          role-to-assume: ${{ inputs.githubOIDCRoleArn }}
+          role-duration-seconds: ${{ inputs.awsSessionDuration }}
+
+          # This parameter is needed otherwise this action is trying to tag session
+          # which does not work for cross-account assume
+          role-skip-session-tagging: true
+
+      # Then assume Deployer role, which can be assumed by GithubOIDCRole and has all the permissions needed.
+      - name: assume Deployer role
+        if: inputs.useOIDC == true
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ inputs.awsRegion }}
+          role-to-assume: ${{ inputs.awsRoleArn }}
+          role-duration-seconds: ${{ inputs.awsSessionDuration }}
+          role-chaining: true
+          role-skip-session-tagging: true
+
       - name: invalidate
         run: |
           echo ">>> Invalidating path ${{ inputs.path }} of distribution ${{ inputs.distributionId }}"
