aws-oidc
Comprehensive instructions for building secure, compliant Docker containers within Optum using golden images, SaaS Artifactory authentication, and enterprise best practices.
IDE:
claude
codex
vscode
Version:
0.0.0
Once OIDC is configured in the AWS utilizing the aws-oidc.chatmode.md, the following example workflows can be used to authenticate within a github CI/CD.
Basic Workflow Example
name: Deploy to AWS
on:
push:
branches:
- main
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: uhg-runner
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>
role-session-name: GitHubOIDCSession
aws-region: us-east-1
- name: Verify authentication
run: |
aws sts get-caller-identity
aws s3api list-buckets --query 'Buckets[].Name'
Advanced Workflow with Multiple Environments
name: Multi-Environment Deployment
on:
push:
branches:
- main
- develop
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: uhg-runner
strategy:
matrix:
environment: [dev, staging, prod]
include:
- environment: dev
aws-role: arn:aws:iam::123456789012:role/github-action-role-dev
condition: github.ref == 'refs/heads/develop'
- environment: staging
aws-role: arn:aws:iam::123456789012:role/github-action-role-staging
condition: github.ref == 'refs/heads/main'
- environment: prod
aws-role: arn:aws:iam::987654321098:role/github-action-role-prod
condition: github.ref == 'refs/heads/main' && github.event_name == 'workflow_dispatch'
if: ${{ matrix.condition }}
environment: ${{ matrix.environment }}
steps:
- uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ matrix.aws-role }}
role-session-name: GitHubOIDCSession-${{ matrix.environment }}
aws-region: us-east-1
- name: Deploy to ${{ matrix.environment }}
run: |
echo "Deploying to ${{ matrix.environment }}"
aws sts get-caller-identity
Integration with Optum Artifactory
name: Build, Scan, and Deploy
on:
push:
branches: [main]
permissions:
actions: read
contents: write
pull-requests: write
security-events: write
checks: write
id-token: write
jobs:
build-and-deploy:
runs-on: [uhg-runner]
steps:
- uses: actions/checkout@v4
# Configure Artifactory
- name: Configure Artifactory Connection
id: artifactory-setup
uses: uhg-pipelines/epl-jf/configure-saas-connection@latest
with:
jfrog-project-key: your-project-key
npm-setup: true
# Build and publish to Artifactory
- name: Build and Scan
uses: optum-eeps/epl-actions/node-build-scan@v1
with:
jfrog-project-key: your-project-key
jfrog-build-name: ${{ steps.artifactory-setup.outputs.jfrog-build-name }}
jfrog-build-number: ${{ steps.artifactory-setup.outputs.jfrog-build-number }}
npm-publish: true
# Configure AWS credentials
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: GitHubOIDCSession
aws-region: us-east-1
# Deploy to AWS
- name: Deploy to AWS
run: |
aws s3 sync ./dist s3://${{ secrets.S3_BUCKET }}/
aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_ID }} --paths "/*"

