Web Identity Token auth #86
Description
Given that bitops is git-centric, for Github hosted repos, I think we should introduce support for web identity token authentication.
AWS supports authentication via github actions. An example workflow step to get credentials:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
# We're using a Web Identity Token to assume the role.
# The identity is provided by GitHub and the given role allows access to required resources
role-to-assume: arn:aws:iam::xxxxxxxx:role/github-ci-xyz
aws-region: us-east-1
The role can be created to authorize a specific Github organization or repo, and then it can be assumed like that. It's not really a big deal to store secrets, especially if they are restricted to the deployment's specific purpose only, but web identity tokens are the current best practice for authentication via actions, hence something we may want to look at!