Learn useful tips for common scenarios:
AWS doesn’t consider the account ID the be a secret :
While account IDs, like any identifying information, should be used and shared carefully, they are not considered secret, sensitive, or confidential information.
However, when dealing with multiple AWS accounts, it can be useful to give each account ID an alias. This can be accomplished by defining GitHub Actions variables which can subsequently be used in your workflows .
Assuming you defined repository variables as follows:
| Variable | Value |
|---|---|
AWS_ACCOUNT_ID_DEV |
111122223333 |
AWS_ACCOUNT_ID_PROD |
444455556666 |
You can now reference them in your runs-on: label like this:
runs-on: sprinters:aws/${{ vars.AWS_ACCOUNT_ID_DEV }}:ubuntu-latest:m7i.xlarge
runs-on: sprinters:aws/${{ vars.AWS_ACCOUNT_ID_PROD }}:ubuntu-latest:m7i.8xlarge
And they will be substituted at runtime for their actual values:
runs-on: sprinters:aws/111122223333:ubuntu-latest:m7i.xlarge
runs-on: sprinters:aws/444455556666:ubuntu-latest:m7i.8xlarge
Making it much easier to ensure each job runs on the intended AWS account.
To the run jobs from multiple GitHub accounts onto the same AWS account, simply adjust the IAM role trust policy to include a list of GitHub accounts instead of a single one:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "381491863103"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"first-github-account-name",
"second-github-account-name",
"yet-another-github-account-name"
]
}
}
}
]
}
