feat: OIDC support for build and push docker image workflow (#186)

seyhello · web-flow · commit 3ad73aa3925c · 2025-05-13T13:05:04.000+02:00
* feat: OIDC support for build and push docker image workflow
* fix: remove duplicates
diff --git a/.github/workflows/build_docker_image_and_push_to_ecr.yaml b/.github/workflows/build_docker_image_and_push_to_ecr.yaml
@@ -3,6 +3,26 @@ name: build docker image and push it to ECR
 on:
   workflow_call:
     inputs:
+      useOIDC:
+        description: Whether to use OIDC for assume role
+        required: false
+        type: boolean
+        default: false
+      githubOIDCRoleArn:
+        description: Github OIDC role ARN
+        required: false
+        type: string
+        default: ""
+      awsRegion:
+        description: AWS region
+        required: false
+        type: string
+        default: us-east-1
+      awsSessionDuration:
+        description: AWS session duration
+        required: false
+        type: number
+        default: 3600
       imageTag:
         description: Tag given to container image
         required: true
@@ -20,11 +40,6 @@ on:
         required: false
         type: string
         default: ./deploy/Dockerfile
-      awsRegion:
-        description: AWS region
-        required: false
-        type: string
-        default: us-east-1
       slackChannelId:
         description: Slack Channel ID
         required: false
@@ -63,10 +78,10 @@ on:
     secrets:
       awsAccessKeyId:
         description: AWS access key ID
-        required: true
+        required: false
       awsSecretAccessKey:
         description: AWS secret access key
-        required: true
+        required: false
       slackToken:
         description: Slack API token
         required: false
@@ -154,7 +169,26 @@ jobs:
       - name: setup Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      # Assume OIDC Role, the trust relationship between GitHub and AWS is defined in IAM in the organization account.
+      - name: assume OIDC Role
+        if: inputs.useOIDC == true
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ inputs.awsRegion }}
+          role-to-assume: ${{ inputs.githubOIDCRoleArn }}
+          role-duration-seconds: ${{ inputs.awsSessionDuration }}
+
+          # This parameter is needed otherwise this action is trying to tag session
+          # which does not work for cross-account assume
+          role-skip-session-tagging: true
+
+      - name: login to AWS ECR using OIDC
+        if: inputs.useOIDC == true
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
       - name: login to AWS ECR
+        if: inputs.useOIDC == false
         uses: docker/login-action@v3
         with:
           registry: ${{ inputs.registry }}
