\u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u062a\u062a\u0635\u0644 \u0628\u0640 AWS \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u064a\u0642\u0636\u064a \u0627\u062a\u062d\u0627\u062f OpenID Connect (OIDC) \u0639\u0644\u0649 \u0647\u0630\u0627 \u0627\u0644\u062e\u0637\u0631 \u062a\u0645\u0627\u0645\u0627\u064b. \u0628\u062f\u0644\u0627\u064b \u0645\u0646 \u062a\u062e\u0632\u064a\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f AWS \u0627\u0644\u062b\u0627\u0628\u062a\u0629 \u0641\u064a GitHub\u060c \u064a\u0637\u0644\u0628 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0631\u0645\u0632 OIDC \u0642\u0635\u064a\u0631 \u0627\u0644\u0623\u0645\u062f \u0645\u0646 \u0645\u0632\u0648\u062f \u0647\u0648\u064a\u0629 GitHub. \u062a\u062a\u062d\u0642\u0642 AWS \u0645\u0646 \u0635\u062d\u0629 \u0647\u0630\u0627 \u0627\u0644\u0631\u0645\u0632\u060c \u0648\u062a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a (\u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0627\u0644\u0641\u0631\u0639\u060c \u0627\u0644\u0628\u064a\u0626\u0629)\u060c \u0648\u062a\u0635\u062f\u0631 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0624\u0642\u062a\u0629 \u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u062a\u0647\u0627 \u0641\u064a \u062f\u0642\u0627\u0626\u0642. \u0644\u0627 \u064a\u062a\u0645 \u062a\u062e\u0632\u064a\u0646 \u0623\u064a \u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0623\u064a \u0645\u0643\u0627\u0646 \u2014 \u064a\u062a\u0645 \u0625\u0646\u0634\u0627\u0621 \u0639\u0644\u0627\u0642\u0629 \u0627\u0644\u062b\u0642\u0629 \u0628\u064a\u0646 \u0645\u0632\u0648\u062f OIDC \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 GitHub \u0648\u062f\u0648\u0631 IAM \u0641\u064a AWS \u0627\u0644\u062e\u0627\u0635 \u0628\u0643.<\/p>\n \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0627\u0644\u0639\u0645\u0644\u064a\u060c \u0633\u062a\u0642\u0648\u0645 \u0628\u0640:<\/p>\n \u0628\u0646\u0647\u0627\u064a\u0629 \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0633\u064a\u0643\u0648\u0646 \u062e\u0637 \u0623\u0646\u0627\u0628\u064a\u0628 CI\/CD \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u062e\u0627\u0644\u064a\u0627\u064b \u062a\u0645\u0627\u0645\u0627\u064b \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f AWS \u0627\u0644\u0645\u062e\u0632\u0646\u0629\u060c \u0648\u0633\u064a\u0643\u0648\u0646 \u0643\u0644 \u062d\u062f\u062b \u0645\u0635\u0627\u062f\u0642\u0629 \u0642\u0627\u0628\u0644\u0627\u064b \u0644\u0644\u062a\u062a\u0628\u0639 \u0625\u0644\u0649 \u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0641\u0631\u0639 \u0648 commit \u0648\u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u062d\u062f\u062f\u064a\u0646.<\/p>\n \u0642\u0628\u0644 \u0627\u0644\u0628\u062f\u0621 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0648\u0641\u0631 \u0645\u0627 \u064a\u0644\u064a:<\/p>\n \u0627\u0644\u0648\u0642\u062a \u0627\u0644\u0645\u0642\u062f\u0631: 60\u201390 \u062f\u0642\u064a\u0642\u0629<\/strong><\/p>\n \u0642\u0628\u0644 \u062a\u0646\u0641\u064a\u0630 OIDC\u060c \u0644\u0646\u0642\u0645 \u0628\u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0646\u0645\u0637 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646 \u0627\u0644\u0630\u064a \u0633\u062a\u0633\u062a\u0628\u062f\u0644\u0647. \u0647\u0630\u0627 \u064a\u062c\u0639\u0644 \u0627\u0644\u062a\u062d\u0633\u064a\u0646 \u0627\u0644\u0623\u0645\u0646\u064a \u0645\u0644\u0645\u0648\u0633\u0627\u064b \u0648\u064a\u0645\u0646\u062d\u0643 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0639\u0627\u0645\u0644 \u0644\u0644\u062a\u0631\u062d\u064a\u0644 \u0645\u0646\u0647.<\/p>\n \u0623\u0646\u0634\u0626 \u0645\u0633\u062a\u0648\u062f\u0639 GitHub \u062c\u062f\u064a\u062f \u064a\u064f\u0633\u0645\u0649 \u0625\u0630\u0627 \u0643\u0627\u0646 \u0644\u062f\u064a\u0643 \u0645\u0633\u062a\u062e\u062f\u0645 IAM \u062d\u0627\u0644\u064a \u0645\u0639 \u0648\u0635\u0648\u0644 \u0628\u0631\u0645\u062c\u064a\u060c \u0642\u0645 \u0628\u062a\u062e\u0632\u064a\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f\u0647 \u0643\u0623\u0633\u0631\u0627\u0631 GitHub:<\/p>\n \u0644\u0645\u0627\u0630\u0627 \u0647\u0630\u0627 \u062e\u0637\u064a\u0631:<\/strong><\/p>\n \u0623\u0646\u0634\u0626 \u0642\u0645 \u0628\u0639\u0645\u0644 commit \u0648\u062f\u0641\u0639 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627. \u062a\u0623\u0643\u062f \u0645\u0646 \u0623\u0646\u0647 \u064a\u0639\u0645\u0644 \u0628\u0646\u062c\u0627\u062d \u2014 \u0647\u0630\u0627 \u0647\u0648 \u0627\u0644\u0623\u0633\u0627\u0633 \u0627\u0644\u0630\u064a \u0633\u062a\u0633\u062a\u0628\u062f\u0644\u0647 \u0628\u0640 OIDC.<\/p>\n \u0627\u0644\u062e\u0637\u0648\u0629 \u0627\u0644\u0623\u0648\u0644\u0649 \u0641\u064a \u0627\u062a\u062d\u0627\u062f OIDC \u0647\u064a \u0625\u062e\u0628\u0627\u0631 AWS \u0628\u0627\u0644\u062b\u0642\u0629 \u0641\u064a \u0645\u0632\u0648\u062f \u0647\u0648\u064a\u0629 GitHub. \u0647\u0630\u0627 \u0625\u0639\u062f\u0627\u062f \u064a\u062a\u0645 \u0645\u0631\u0629 \u0648\u0627\u062d\u062f\u0629 \u0644\u0643\u0644 \u062d\u0633\u0627\u0628 AWS.<\/p>\n \u0645\u0644\u0627\u062d\u0638\u0629:<\/strong> \u062a\u062a\u062d\u0642\u0642 AWS \u0627\u0644\u0622\u0646 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0645\u0646 \u0628\u0635\u0645\u0629 \u0645\u0632\u0648\u062f OIDC \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 GitHub. \u0642\u064a\u0645\u0629 \u0627\u0644\u0628\u0635\u0645\u0629 \u0641\u064a \u0645\u0648\u0631\u062f Terraform \u0645\u0637\u0644\u0648\u0628\u0629 \u0645\u0646 \u0642\u0628\u0644 API \u0644\u0643\u0646 AWS \u0633\u062a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0633\u0644\u0633\u0644\u0629 \u0627\u0644\u0634\u0647\u0627\u062f\u0627\u062a \u0628\u063a\u0636 \u0627\u0644\u0646\u0638\u0631 \u0639\u0646 \u0627\u0644\u0642\u064a\u0645\u0629 \u0627\u0644\u0645\u0642\u062f\u0645\u0629.<\/p>\n \u062a\u0623\u0643\u062f \u0645\u0646 \u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0645\u0632\u0648\u062f:<\/p>\n \u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 ARN \u0645\u062b\u0644:<\/p>\n \u0627\u0644\u0622\u0646 \u0623\u0646\u0634\u0626 \u062f\u0648\u0631 IAM \u064a\u0645\u0643\u0646 \u0644\u0640 GitHub Actions \u062a\u0648\u0644\u0651\u064a\u0647 \u0639\u0628\u0631 OIDC. \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0647\u064a \u0627\u0644\u062c\u0632\u0621 \u0627\u0644\u0623\u0647\u0645 \u2014 \u0641\u0647\u064a \u062a\u062d\u062f\u062f \u0628\u0627\u0644\u0636\u0628\u0637 \u0623\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0648\u0627\u0644\u0641\u0631\u0648\u0639 \u0648\u0627\u0644\u0628\u064a\u0626\u0627\u062a \u064a\u0645\u0643\u0646\u0647\u0627 \u062a\u0648\u0644\u0651\u064a \u0647\u0630\u0627 \u0627\u0644\u062f\u0648\u0631.<\/p>\n \u0627\u062d\u0641\u0638 \u0645\u0627 \u064a\u0644\u064a \u0643\u0640 \u0627\u062a\u0628\u0639 \u0645\u0628\u062f\u0623 \u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a. \u0644\u0647\u0630\u0627 \u0627\u0644\u0645\u062e\u062a\u0628\u0631\u060c \u0623\u0631\u0641\u0642 \u0633\u064a\u0627\u0633\u0629 \u062a\u0645\u0646\u062d \u0648\u0635\u0648\u0644 \u0642\u0631\u0627\u0621\u0629 \u0641\u0642\u0637 \u0625\u0644\u0649 \u062d\u0627\u0648\u064a\u0629 S3 \u0645\u062d\u062f\u062f\u0629:<\/p>\n \u0627\u0644\u0622\u0646 \u0627\u0633\u062a\u0628\u062f\u0644 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u062b\u0627\u0628\u062a\u0629 \u0628\u0645\u0635\u0627\u062f\u0642\u0629 OIDC. \u0647\u0630\u0647 \u0647\u064a \u062e\u0637\u0648\u0629 \u0627\u0644\u062a\u0631\u062d\u064a\u0644 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629.<\/p>\n \u0627\u0633\u062a\u0628\u062f\u0644 \u0645\u062d\u062a\u0648\u064a\u0627\u062a \u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 \u062a\u0628\u0648\u064a\u0628 Actions<\/strong> \u0641\u064a \u0645\u0633\u062a\u0648\u062f\u0639 GitHub \u0627\u0644\u062e\u0627\u0635 \u0628\u0643. \u064a\u062c\u0628 \u0623\u0646 \u062a\u0631\u0649 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0642\u064a\u062f \u0627\u0644\u062a\u0634\u063a\u064a\u0644. \u0641\u064a \u062e\u0637\u0648\u0629 “Verify Identity”\u060c \u0633\u064a\u0628\u062f\u0648 \u0627\u0644\u0625\u062e\u0631\u0627\u062c \u0643\u0627\u0644\u062a\u0627\u0644\u064a:<\/p>\n \u0644\u0627\u062d\u0638 \u0623\u0646 ARN \u064a\u064f\u0638\u0647\u0631 \u0645\u0637\u0627\u0644\u0628\u0629 \u0647\u0630\u0627 \u0647\u0648 \u0627\u0644\u0625\u0639\u062f\u0627\u062f \u0645\u0646 \u0627\u0644\u062a\u0645\u0631\u064a\u0646 2. \u0641\u0642\u0637 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u0645\u064f\u0637\u0644\u0642 \u0628\u062f\u0641\u0639 \u0625\u0644\u0649 \u062a\u0648\u0641\u0631 GitHub Environments \u0637\u0628\u0642\u0629 \u0625\u0636\u0627\u0641\u064a\u0629 \u0645\u0646 \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0648\u0635\u0648\u0644. \u0639\u0646\u062f\u0645\u0627 \u062a\u062d\u062f\u062f \u0648\u0638\u064a\u0641\u0629 \u0645\u0627 \u0627\u0644\u0633\u0645\u0627\u062d \u0641\u0642\u0637 \u0644\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u064f\u0639\u0644\u0651\u0645\u0629 (\u0645\u062b\u0644 \u0623\u0646\u0634\u0626 \u0641\u0631\u0639 \u0645\u064a\u0632\u0629 \u0648\u0627\u062f\u0641\u0639 \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0639\u0645\u0644:<\/p>\n \u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 \u062a\u0642\u064a\u0651\u062f \u0625\u0644\u0649 \u0627\u0644\u0622\u0646 \u0627\u062f\u0641\u0639 \u0646\u0641\u0633 \u0627\u0644\u062a\u063a\u064a\u064a\u0631 \u0625\u0644\u0649 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0639\u0644\u0649 \u064a\u062c\u0628 \u0623\u0646 \u064a\u0643\u0648\u0646 \u0644\u0639\u0645\u0644\u064a\u0627\u062a \u0646\u0634\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0636\u0648\u0627\u0628\u0637 \u0623\u0643\u062b\u0631 \u0635\u0631\u0627\u0645\u0629 \u0645\u0646 \u0628\u064a\u0626\u0629 \u0627\u0644\u062a\u062c\u0647\u064a\u0632. \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u062a\u0645\u0631\u064a\u0646\u060c \u062a\u0646\u0634\u0626 \u0623\u062f\u0648\u0627\u0631 IAM \u0645\u0646\u0641\u0635\u0644\u0629 \u0644\u0643\u0644 \u0628\u064a\u0626\u0629\u060c \u0645\u0639 \u0633\u064a\u0627\u0633\u0627\u062a \u062b\u0642\u0629 \u0648\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u062e\u062a\u0644\u0641\u0629.<\/p>\n \u0641\u064a \u0645\u0633\u062a\u0648\u062f\u0639\u0643\u060c \u0627\u0646\u062a\u0642\u0644 \u0625\u0644\u0649 Settings<\/strong> \u2190 Environments<\/strong>:<\/p>\n \u062f\u0648\u0631 \u0627\u0644\u062a\u062c\u0647\u064a\u0632 \u064a\u062b\u0642 \u0628\u062c\u0645\u064a\u0639 \u0627\u0644\u0641\u0631\u0648\u0639 \u0641\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639:<\/p>\n \u062f\u0648\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u064a\u062b\u0642 \u0641\u0642\u0637 \u0628\u0628\u064a\u0626\u0629 \u0623\u0646\u0634\u0626 \u0633\u064a\u0631 \u0639\u0645\u0644 \u064a\u0646\u0634\u0631 \u0625\u0644\u0649 \u0627\u0644\u062a\u062c\u0647\u064a\u0632 \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b \u0648\u0625\u0644\u0649 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u0628\u0645\u0648\u0627\u0641\u0642\u0629 \u064a\u062f\u0648\u064a\u0629:<\/p>\n \u0639\u0646\u062f \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0647\u0630\u0627:<\/p>\n \u062a\u0633\u062a\u062e\u062f\u0645 \u0633\u064a\u0627\u0633\u0629 \u062b\u0642\u0629 \u062f\u0648\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u062a\u0646\u0634\u0626 \u0645\u0635\u0627\u062f\u0642\u0629 OIDC \u0645\u0633\u0627\u0631\u0627\u062a \u062a\u062f\u0642\u064a\u0642 \u0645\u0641\u0635\u0644\u0629 \u0641\u064a AWS CloudTrail. \u064a\u062a\u0645 \u062a\u0633\u062c\u064a\u0644 \u0643\u0644 \u0627\u0633\u062a\u062f\u0639\u0627\u0621 \u064a\u062d\u062a\u0648\u064a \u062d\u062f\u062b \u0644\u0627\u062d\u0638 \u063a\u0646\u0649 \u0645\u0633\u0627\u0631 \u0627\u0644\u062a\u062f\u0642\u064a\u0642 \u0647\u0630\u0627: \u064a\u0645\u0643\u0646\u0643 \u0631\u0624\u064a\u0629 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0627\u0644\u0641\u0631\u0639 \u0648 commit SHA \u0648\u0645\u0633\u062a\u062e\u062f\u0645 GitHub \u0627\u0644\u0630\u064a \u0623\u0637\u0644\u0642 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0648\u0627\u0633\u0645 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0628\u0627\u0644\u0636\u0628\u0637. \u0647\u0630\u0627 \u0623\u0643\u062b\u0631 \u062a\u0641\u0635\u064a\u0644\u0627\u064b \u0628\u0643\u062b\u064a\u0631 \u0645\u0645\u0627 \u062a\u062d\u0635\u0644 \u0639\u0644\u064a\u0647 \u0645\u0639 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u0633\u062a\u062e\u062f\u0645 IAM \u0627\u0644\u062b\u0627\u0628\u062a\u0629.<\/p>\n \u0642\u062f \u062a\u0634\u064a\u0631 \u0627\u0633\u062a\u062f\u0639\u0627\u0621\u0627\u062a \u0627\u0633\u062a\u062e\u062f\u0645 CloudTrail Lake \u0623\u0648 Athena \u0644\u0644\u0627\u0633\u062a\u0639\u0644\u0627\u0645 \u0639\u0646 \u0623\u0646\u0645\u0627\u0637 \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u062a\u0627\u0631\u064a\u062e\u064a\u0629:<\/p>\n \u0647\u0630\u0627 \u064a\u0639\u0637\u064a\u0643 \u0639\u062f\u062f \u062a\u0643\u0631\u0627\u0631 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0648\u0627\u0644\u0641\u0631\u0648\u0639 \u0627\u0644\u062a\u064a \u062a\u0645\u062a \u0645\u0635\u0627\u062f\u0642\u062a\u0647\u0627 \u0639\u0628\u0631 OIDC \u2014 \u0636\u0631\u0648\u0631\u064a \u0644\u0645\u0631\u0627\u062c\u0639\u0627\u062a \u0627\u0644\u0648\u0635\u0648\u0644 \u0648\u0639\u0645\u0644\u064a\u0627\u062a \u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u0627\u0645\u062a\u062b\u0627\u0644.<\/p>\n \u0647\u0630\u0627 \u0647\u0648 \u0623\u0647\u0645 \u062a\u0645\u0631\u064a\u0646 \u0641\u064a \u0627\u0644\u0645\u062e\u062a\u0628\u0631 \u0628\u0623\u0643\u0645\u0644\u0647. \u0627\u0644\u062a\u0631\u062d\u064a\u0644 \u0645\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0627\u0639\u062a\u0645\u0627\u062f \u0627\u0644\u062b\u0627\u0628\u062a\u0629 \u0625\u0644\u0649 OIDC \u063a\u064a\u0631 \u0645\u0643\u062a\u0645\u0644 \u2014 \u0648\u0648\u0636\u0639\u0643 \u0627\u0644\u0623\u0645\u0646\u064a \u0644\u0645 \u064a\u062a\u062d\u0633\u0646 \u2014 \u062d\u062a\u0649 \u064a\u062a\u0645 \u0627\u0644\u062a\u062e\u0644\u0635 \u0645\u0646 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0642\u062f\u064a\u0645\u0629. \u0637\u0627\u0644\u0645\u0627 \u0623\u0646 \u0643\u0644\u062a\u0627 \u0637\u0631\u064a\u0642\u062a\u064a \u0627\u0644\u0645\u0635\u0627\u062f\u0642\u0629 \u0645\u0648\u062c\u0648\u062f\u062a\u0627\u0646\u060c \u064a\u0645\u0643\u0646 \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u062b\u0627\u0628\u062a\u0629.<\/p>\n \u0627\u062d\u0630\u0641 \u0627\u0644\u0623\u0633\u0631\u0627\u0631 \u0627\u0644\u0642\u062f\u064a\u0645\u0629 \u0645\u0646 \u0645\u0633\u062a\u0648\u062f\u0639 GitHub \u0627\u0644\u062e\u0627\u0635 \u0628\u0643:<\/p>\n \u062a\u062d\u0642\u0642 \u0645\u0646 \u0625\u0632\u0627\u0644\u062a\u0647\u0627:<\/p>\n \u064a\u062c\u0628 \u0623\u0644\u0627 \u062a\u0631\u0649 AWS_ACCESS_KEY_ID<\/code> \u0648 AWS_SECRET_ACCESS_KEY<\/code> \u0627\u0644\u0645\u062e\u0632\u0646\u0629 \u0643\u0623\u0633\u0631\u0627\u0631 \u0641\u064a \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u060c \u0641\u0623\u0646\u062a \u062a\u0648\u0627\u062c\u0647 \u0645\u0634\u0643\u0644\u0629 \u0623\u0645\u0646\u064a\u0629 \u062e\u0637\u064a\u0631\u0629. \u0647\u0630\u0647 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0637\u0648\u064a\u0644\u0629 \u0627\u0644\u0623\u0645\u062f \u0644\u0627 \u062a\u0646\u062a\u0647\u064a \u0635\u0644\u0627\u062d\u064a\u062a\u0647\u0627 \u0645\u0646 \u062a\u0644\u0642\u0627\u0621 \u0646\u0641\u0633\u0647\u0627\u060c \u0648\u064a\u0645\u0643\u0646 \u0644\u0623\u064a \u062e\u0637\u0648\u0629 \u0641\u064a \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0627\u0633\u062a\u062e\u0631\u0627\u062c\u0647\u0627 (\u0628\u0645\u0627 \u0641\u064a \u0630\u0644\u0643 \u0627\u0644\u0625\u062c\u0631\u0627\u0621\u0627\u062a \u0645\u0646 \u0623\u0637\u0631\u0627\u0641 \u062b\u0627\u0644\u062b\u0629)\u060c \u0648\u062a\u0645\u0646\u062d \u0627\u0644\u0645\u0647\u0627\u062c\u0645\u064a\u0646 \u0648\u0635\u0648\u0644\u0627\u064b \u062f\u0627\u0626\u0645\u0627\u064b \u0625\u0644\u0649 \u062d\u0633\u0627\u0628 AWS \u0627\u0644\u062e\u0627\u0635 \u0628\u0643 \u0641\u064a \u062d\u0627\u0644 \u0627\u062e\u062a\u0631\u0627\u0642\u0647\u0627.<\/p>\n\n
\u0627\u0644\u0645\u062a\u0637\u0644\u0628\u0627\u062a \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629<\/h2>\n
\n
aws --version<\/code> \u0627\u0644\u0625\u0635\u062f\u0627\u0631 2.x)<\/li>\n\u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u064a\u0626\u0629: \u0627\u0644\u0623\u0633\u0627\u0633 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646<\/h2>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0645\u0633\u062a\u0648\u062f\u0639 \u0627\u062e\u062a\u0628\u0627\u0631\u064a<\/h3>\n
oidc-lab<\/code>. \u0642\u0645 \u0628\u062a\u0647\u064a\u0626\u062a\u0647 \u0645\u0639 README \u0648\u0627\u0633\u062a\u0646\u0633\u062e\u0647 \u0645\u062d\u0644\u064a\u0627\u064b:<\/p>\ngh repo create oidc-lab --public --clone\ncd oidc-lab<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u062a\u062e\u0632\u064a\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f AWS \u0643\u0623\u0633\u0631\u0627\u0631 GitHub (\u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646\u0629)<\/h3>\n
gh secret set AWS_ACCESS_KEY_ID --body \"AKIAIOSFODNN7EXAMPLE\"\ngh secret set AWS_SECRET_ACCESS_KEY --body \"wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\"<\/code><\/pre>\n\n
\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0627\u0644\u0623\u0633\u0627\u0633 \u063a\u064a\u0631 \u0627\u0644\u0622\u0645\u0646<\/h3>\n
.github\/workflows\/deploy.yml<\/code> \u0645\u0639 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u062b\u0627\u0628\u062a\u0629:<\/p>\nname: Deploy (Insecure - Static Keys)\n\non:\n push:\n branches: [main]\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions\/checkout@v4\n\n - name: Configure AWS Credentials (INSECURE)\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}\n aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}\n aws-region: us-east-1\n\n - name: Verify Identity\n run: aws sts get-caller-identity\n\n - name: List S3 Buckets\n run: aws s3 ls<\/code><\/pre>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 1: \u0625\u0646\u0634\u0627\u0621 \u0645\u0632\u0648\u062f \u0647\u0648\u064a\u0629 OIDC \u0641\u064a AWS<\/h2>\n
\u0627\u0644\u062e\u064a\u0627\u0631 \u0623: AWS Console<\/h3>\n
\n
https:\/\/token.actions.githubusercontent.com<\/code><\/li>\nsts.amazonaws.com<\/code><\/li>\n\u0627\u0644\u062e\u064a\u0627\u0631 \u0628: AWS CLI<\/h3>\n
# Get the thumbprint for GitHub's OIDC provider\n# As of 2024, GitHub's thumbprint is managed by AWS and auto-verified\n# You can retrieve it with:\nTHUMBPRINT=$(openssl s_client -servername token.actions.githubusercontent.com \\\n -showcerts -connect token.actions.githubusercontent.com:443 < \/dev\/null 2>\/dev\/null \\\n | openssl x509 -fingerprint -noout \\\n | cut -d'=' -f2 \\\n | tr -d ':' \\\n | tr '[:upper:]' '[:lower:]')\n\naws iam create-open-id-connect-provider \\\n --url https:\/\/token.actions.githubusercontent.com \\\n --client-id-list sts.amazonaws.com \\\n --thumbprint-list \"$THUMBPRINT\"<\/code><\/pre>\n\u0627\u0644\u062e\u064a\u0627\u0631 \u062c: Terraform<\/h3>\n
resource \"aws_iam_openid_connect_provider\" \"github\" {\n url = \"https:\/\/token.actions.githubusercontent.com\"\n client_id_list = [\"sts.amazonaws.com\"]\n thumbprint_list = [\"6938fd4d98bab03faadb97b34396831e3780aea1\"]\n\n tags = {\n Name = \"GitHub Actions OIDC\"\n Environment = \"shared\"\n ManagedBy = \"terraform\"\n }\n}<\/code><\/pre>\n\u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\n
aws iam list-open-id-connect-providers<\/code><\/pre>\narn:aws:iam::123456789012:oidc-provider\/token.actions.githubusercontent.com<\/code><\/pre>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 2: \u0625\u0646\u0634\u0627\u0621 \u062f\u0648\u0631 IAM \u0645\u0639 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629<\/h2>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629<\/h3>\n
trust-policy.json<\/code>. \u0627\u0633\u062a\u0628\u062f\u0644 123456789012<\/code> \u0628\u0645\u0639\u0631\u0641 \u062d\u0633\u0627\u0628 AWS \u0627\u0644\u062e\u0627\u0635 \u0628\u0643\u060c \u0648 myorg\/myrepo<\/code> \u0628\u0645\u0646\u0638\u0645\u0629 GitHub \u0648\u0645\u0633\u062a\u0648\u062f\u0639\u0643:<\/p>\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam::123456789012:oidc-provider\/token.actions.githubusercontent.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"token.actions.githubusercontent.com:aud\": \"sts.amazonaws.com\"\n },\n \"StringLike\": {\n \"token.actions.githubusercontent.com:sub\": \"repo:myorg\/myrepo:ref:refs\/heads\/main\"\n }\n }\n }\n ]\n}<\/code><\/pre>\n\u0641\u0647\u0645 \u062d\u0642\u0648\u0644 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629<\/h3>\n
\n
Principal.Federated<\/code><\/strong> \u2014 \u0645\u0639\u0631\u0641 ARN \u0644\u0645\u0632\u0648\u062f GitHub OIDC \u0627\u0644\u0630\u064a \u0623\u0646\u0634\u0623\u062a\u0647 \u0641\u064a \u0627\u0644\u062a\u0645\u0631\u064a\u0646 1. \u0647\u0630\u0627 \u064a\u064f\u062e\u0628\u0631 AWS \u0628\u0623\u064a \u0645\u0632\u0648\u062f \u0647\u0648\u064a\u0629 \u064a\u062c\u0628 \u0627\u0644\u0648\u062b\u0648\u0642 \u0628\u0647.<\/li>\nAction: sts:AssumeRoleWithWebIdentity<\/code><\/strong> \u2014 \u0625\u062c\u0631\u0627\u0621 STS \u0627\u0644\u0645\u062d\u062f\u062f \u0644\u0627\u062a\u062d\u0627\u062f OIDC. \u0647\u0630\u0627 \u064a\u062e\u062a\u0644\u0641 \u0639\u0646 sts:AssumeRole<\/code> (\u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0644\u0644\u0623\u062f\u0648\u0627\u0631 \u0639\u0628\u0631 \u0627\u0644\u062d\u0633\u0627\u0628\u0627\u062a) \u0623\u0648 sts:AssumeRoleWithSAML<\/code> (\u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0644\u0627\u062a\u062d\u0627\u062f SAML).<\/li>\nCondition.StringEquals.aud<\/code><\/strong> \u2014 \u064a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u062c\u0645\u0647\u0648\u0631 \u0641\u064a \u0631\u0645\u0632 OIDC. \u064a\u062c\u0628 \u0623\u0646 \u062a\u0643\u0648\u0646 sts.amazonaws.com<\/code> \u0644\u0645\u0637\u0627\u0628\u0642\u0629 \u0645\u0627 \u064a\u0631\u0633\u0644\u0647 \u0625\u062c\u0631\u0627\u0621 configure-aws-credentials<\/code>.<\/li>\nCondition.StringLike.sub<\/code><\/strong> \u2014 \u064a\u062a\u062d\u0642\u0642 \u0645\u0646 \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u0645\u0648\u0636\u0648\u0639. \u0647\u0630\u0627 \u0647\u0648 \u0623\u0647\u0645 \u0639\u0646\u0635\u0631 \u062a\u062d\u0643\u0645 \u0623\u0645\u0646\u064a. \u064a\u062d\u062a\u0648\u064a \u0627\u0644\u0645\u0648\u0636\u0648\u0639 \u0639\u0644\u0649 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0646\u0648\u0639 \u0627\u0644\u0645\u0631\u062c\u0639 \u0648\u0642\u064a\u0645\u0629 \u0627\u0644\u0645\u0631\u062c\u0639. \u0627\u0633\u062a\u062e\u062f\u0627\u0645 StringLike<\/code> \u0645\u0639 \u0623\u062d\u0631\u0641 \u0627\u0644\u0628\u062f\u0644 \u064a\u0633\u0645\u062d \u0628\u0645\u0637\u0627\u0628\u0642\u0629 \u0645\u0631\u0646\u0629\u060c \u0628\u064a\u0646\u0645\u0627 StringEquals<\/code> \u064a\u062a\u0637\u0644\u0628 \u0645\u0637\u0627\u0628\u0642\u0629 \u062a\u0627\u0645\u0629.<\/li>\n<\/ul>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u062f\u0648\u0631 IAM<\/h3>\n
aws iam create-role \\\n --role-name github-actions-deploy \\\n --assume-role-policy-document file:\/\/trust-policy.json \\\n --description \"Role for GitHub Actions OIDC deployment\" \\\n --max-session-duration 3600<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0631\u0641\u0627\u0642 \u0633\u064a\u0627\u0633\u0629 IAM \u0628\u0627\u0644\u062d\u062f \u0627\u0644\u0623\u062f\u0646\u0649 \u0645\u0646 \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a<\/h3>\n
{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\",\n \"s3:ListBucket\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::my-deployment-bucket\",\n \"arn:aws:s3:::my-deployment-bucket\/*\"\n ]\n }\n ]\n}<\/code><\/pre>\n# Save the above as permissions-policy.json, then:\naws iam put-role-policy \\\n --role-name github-actions-deploy \\\n --policy-name S3ReadAccess \\\n --policy-document file:\/\/permissions-policy.json<\/code><\/pre>\n\u0645\u0639\u0627\u062f\u0644 Terraform<\/h3>\n
data \"aws_iam_policy_document\" \"github_actions_trust\" {\n statement {\n effect = \"Allow\"\n actions = [\"sts:AssumeRoleWithWebIdentity\"]\n\n principals {\n type = \"Federated\"\n identifiers = [aws_iam_openid_connect_provider.github.arn]\n }\n\n condition {\n test = \"StringEquals\"\n variable = \"token.actions.githubusercontent.com:aud\"\n values = [\"sts.amazonaws.com\"]\n }\n\n condition {\n test = \"StringLike\"\n variable = \"token.actions.githubusercontent.com:sub\"\n values = [\"repo:myorg\/myrepo:ref:refs\/heads\/main\"]\n }\n }\n}\n\nresource \"aws_iam_role\" \"github_actions_deploy\" {\n name = \"github-actions-deploy\"\n assume_role_policy = data.aws_iam_policy_document.github_actions_trust.json\n max_session_duration = 3600\n\n tags = {\n Name = \"GitHub Actions Deploy\"\n ManagedBy = \"terraform\"\n }\n}\n\nresource \"aws_iam_role_policy\" \"s3_read\" {\n name = \"S3ReadAccess\"\n role = aws_iam_role.github_actions_deploy.id\n\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Action = [\n \"s3:GetObject\",\n \"s3:ListBucket\"\n ]\n Resource = [\n \"arn:aws:s3:::my-deployment-bucket\",\n \"arn:aws:s3:::my-deployment-bucket\/*\"\n ]\n }\n ]\n })\n}<\/code><\/pre>\n\u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\n
# Confirm the role exists and has the correct trust policy\naws iam get-role --role-name github-actions-deploy \\\n --query 'Role.AssumeRolePolicyDocument' --output json<\/code><\/pre>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 3: \u062a\u062d\u062f\u064a\u062b \u0633\u064a\u0631 \u0639\u0645\u0644 GitHub Actions<\/h2>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u062a\u062d\u062f\u064a\u062b \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644<\/h3>\n
.github\/workflows\/deploy.yml<\/code> \u0628\u0645\u0627 \u064a\u0644\u064a:<\/p>\nname: Deploy (Secure - OIDC)\n\non:\n push:\n branches: [main]\n\npermissions:\n id-token: write # Required for OIDC token request\n contents: read # Required for actions\/checkout\n\njobs:\n deploy:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions\/checkout@v4\n\n - name: Configure AWS Credentials via OIDC\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/github-actions-deploy\n role-session-name: github-actions-${{ github.run_id }}\n aws-region: us-east-1\n\n - name: Verify Identity\n run: |\n aws sts get-caller-identity\n echo \"Successfully authenticated via OIDC!\"\n\n - name: List S3 Bucket Contents\n run: aws s3 ls s3:\/\/my-deployment-bucket\/<\/code><\/pre>\n\u0634\u0631\u062d \u0627\u0644\u062a\u063a\u064a\u064a\u0631\u0627\u062a \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629<\/h3>\n
\n
permissions: id-token: write<\/code><\/strong> \u2014 \u0647\u0630\u0627 \u0625\u0644\u0632\u0627\u0645\u064a. \u064a\u0645\u0646\u062d \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0625\u0630\u0646 \u0637\u0644\u0628 \u0631\u0645\u0632 OIDC \u0645\u0646 \u0645\u0632\u0648\u062f \u0647\u0648\u064a\u0629 GitHub. \u0628\u062f\u0648\u0646 \u0647\u0630\u0627\u060c \u0644\u0627 \u064a\u0633\u062a\u0637\u064a\u0639 \u0625\u062c\u0631\u0627\u0621 configure-aws-credentials<\/code> \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0631\u0645\u0632.<\/li>\npermissions: contents: read<\/code><\/strong> \u2014 \u0639\u0646\u062f \u062a\u0639\u064a\u064a\u0646 \u0623\u064a \u0625\u0630\u0646 \u0635\u0631\u064a\u062d\u060c \u062a\u0643\u0648\u0646 \u062c\u0645\u064a\u0639 \u0627\u0644\u0623\u0630\u0648\u0646\u0627\u062a \u0627\u0644\u0623\u062e\u0631\u0649 \u0627\u0641\u062a\u0631\u0627\u0636\u064a\u0627\u064b none<\/code>. \u064a\u062c\u0628 \u0645\u0646\u062d contents: read<\/code> \u0635\u0631\u0627\u062d\u0629 \u0644\u064a\u0639\u0645\u0644 actions\/checkout<\/code>.<\/li>\nrole-to-assume<\/code><\/strong> \u2014 \u0645\u0639\u0631\u0641 ARN \u0644\u062f\u0648\u0631 IAM \u0627\u0644\u0630\u064a \u062a\u0645 \u0625\u0646\u0634\u0627\u0624\u0647 \u0641\u064a \u0627\u0644\u062a\u0645\u0631\u064a\u0646 2. \u0633\u064a\u0633\u062a\u062f\u0639\u064a \u0627\u0644\u0625\u062c\u0631\u0627\u0621 sts:AssumeRoleWithWebIdentity<\/code> \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0631\u0645\u0632 OIDC.<\/li>\nrole-session-name<\/code><\/strong> \u2014 \u0627\u0633\u0645 \u062c\u0644\u0633\u0629 \u0648\u0635\u0641\u064a \u064a\u0638\u0647\u0631 \u0641\u064a CloudTrail. \u062a\u0636\u0645\u064a\u0646 github.run_id<\/code> \u064a\u062c\u0639\u0644 \u0643\u0644 \u062c\u0644\u0633\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u062a\u062a\u0628\u0639 \u0625\u0644\u0649 \u062a\u0634\u063a\u064a\u0644 \u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u062d\u062f\u062f.<\/li>\naws-access-key-id<\/code> \u0623\u0648 aws-secret-access-key<\/code><\/strong> \u2014 \u062a\u0645 \u0625\u0632\u0627\u0644\u0629 \u0647\u0630\u0647 \u0627\u0644\u062d\u0642\u0648\u0644 \u0628\u0627\u0644\u0643\u0627\u0645\u0644. \u064a\u0643\u062a\u0634\u0641 \u0627\u0644\u0625\u062c\u0631\u0627\u0621 \u0623\u0646 role-to-assume<\/code> \u0645\u064f\u0639\u064a\u0651\u0646 \u0628\u062f\u0648\u0646 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u062b\u0627\u0628\u062a\u0629 \u0648\u064a\u0633\u062a\u062e\u062f\u0645 OIDC \u062a\u0644\u0642\u0627\u0626\u064a\u0627\u064b.<\/li>\n<\/ul>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0627\u0644\u062f\u0641\u0639 \u0648\u0627\u0644\u062a\u062d\u0642\u0642<\/h3>\n
git add .github\/workflows\/deploy.yml\ngit commit -m \"Migrate to OIDC authentication\"\ngit push origin main<\/code><\/pre>\n{\n \"UserId\": \"AROA3XFRBF23ZCEXAMPLE:github-actions-9876543210\",\n \"Account\": \"123456789012\",\n \"Arn\": \"arn:aws:sts::123456789012:assumed-role\/github-actions-deploy\/github-actions-9876543210\"\n}<\/code><\/pre>\nassumed-role\/github-actions-deploy<\/code> \u2014 \u0647\u0630\u0627 \u064a\u0624\u0643\u062f \u0623\u0646 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u064a\u062a\u0635\u0644 \u0639\u0628\u0631 \u062f\u0648\u0631 OIDC\u060c \u0648\u0644\u064a\u0633 \u0645\u0633\u062a\u062e\u062f\u0645 IAM.<\/p>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 4: \u0627\u0644\u062a\u0642\u064a\u064a\u062f \u062d\u0633\u0628 \u0627\u0644\u0641\u0631\u0639 \u0648\u0627\u0644\u0628\u064a\u0626\u0629 \u0648\u0627\u0644\u0639\u0644\u0627\u0645\u0629<\/h2>\n
sub<\/code> \u0641\u064a \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0647\u064a \u0622\u0644\u064a\u0629 \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0623\u0633\u0627\u0633\u064a\u0629 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643. \u062a\u062a\u0628\u0639 \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u0645\u0648\u0636\u0648\u0639 \u0645\u0646 GitHub Actions \u062a\u0646\u0633\u064a\u0642\u0627\u064b \u0645\u062a\u0648\u0642\u0639\u0627\u064b \u064a\u0634\u0641\u0651\u0631 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 \u0648\u0646\u0648\u0639 \u0627\u0644\u0645\u062d\u0641\u0632 \u0648\u0627\u0644\u0645\u0631\u062c\u0639.<\/p>\n\u0623\u0646\u0645\u0627\u0637 \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u0645\u0648\u0636\u0648\u0639 \u0627\u0644\u0634\u0627\u0626\u0639\u0629<\/h3>\n
\n\n
\n \n\u0627\u0644\u0645\u062d\u0641\u0632<\/th>\n \u062a\u0646\u0633\u064a\u0642 \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u0645\u0648\u0636\u0648\u0639<\/th>\n<\/tr>\n<\/thead>\n \n \u062f\u0641\u0639 \u0625\u0644\u0649 \u0641\u0631\u0639<\/td>\n repo:OWNER\/REPO:ref:refs\/heads\/BRANCH<\/code><\/td>\n<\/tr>\n\n \u0637\u0644\u0628 \u0633\u062d\u0628<\/td>\n repo:OWNER\/REPO:pull_request<\/code><\/td>\n<\/tr>\n\n \u0628\u064a\u0626\u0629<\/td>\n repo:OWNER\/REPO:environment:ENV_NAME<\/code><\/td>\n<\/tr>\n\n \u062f\u0641\u0639 \u0639\u0644\u0627\u0645\u0629<\/td>\n repo:OWNER\/REPO:ref:refs\/tags\/TAG<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u0627\u0644\u062a\u0642\u064a\u064a\u062f \u0644\u0644\u0641\u0631\u0639 \u0627\u0644\u0631\u0626\u064a\u0633\u064a \u0641\u0642\u0637<\/h3>\n
main<\/code> \u064a\u0645\u0643\u0646\u0647 \u062a\u0648\u0644\u0651\u064a \u0627\u0644\u062f\u0648\u0631:<\/p>\n\"StringLike\": {\n \"token.actions.githubusercontent.com:sub\": \"repo:myorg\/myrepo:ref:refs\/heads\/main\"\n}<\/code><\/pre>\n\u0627\u0644\u062a\u0642\u064a\u064a\u062f \u0644\u0628\u064a\u0626\u0629 \u0645\u062d\u062f\u062f\u0629<\/h3>\n
environment<\/code>\u060c \u062a\u062a\u063a\u064a\u0631 \u0645\u0637\u0627\u0644\u0628\u0629 \u0627\u0644\u0645\u0648\u0636\u0648\u0639 \u0644\u062a\u062a\u0636\u0645\u0646 \u0627\u0633\u0645 \u0627\u0644\u0628\u064a\u0626\u0629:<\/p>\n\"StringLike\": {\n \"token.actions.githubusercontent.com:sub\": \"repo:myorg\/myrepo:environment:production\"\n}<\/code><\/pre>\n\u0627\u0644\u062a\u0642\u064a\u064a\u062f \u0644\u0644\u0625\u0635\u062f\u0627\u0631\u0627\u062a \u0627\u0644\u0645\u064f\u0639\u0644\u0651\u0645\u0629<\/h3>\n
v1.0.0<\/code>\u060c v2.3.1<\/code>) \u0628\u062a\u0648\u0644\u0651\u064a \u0627\u0644\u062f\u0648\u0631:<\/p>\n\"StringLike\": {\n \"token.actions.githubusercontent.com:sub\": \"repo:myorg\/myrepo:ref:refs\/tags\/v*\"\n}<\/code><\/pre>\n\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0642\u064a\u0648\u062f<\/h3>\n
git checkout -b feature\/test-oidc-restriction\ngit commit --allow-empty -m \"Test OIDC restriction\"\ngit push origin feature\/test-oidc-restriction<\/code><\/pre>\nrefs\/heads\/main<\/code>\u060c \u0641\u0633\u064a\u0641\u0634\u0644 \u0633\u064a\u0631 \u0627\u0644\u0639\u0645\u0644 \u0639\u0644\u0649 \u0641\u0631\u0639 \u0627\u0644\u0645\u064a\u0632\u0629 \u0645\u0639:<\/p>\nError: Could not assume role with OIDC: Not authorized to perform\nsts:AssumeRoleWithWebIdentity\n\nAccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity<\/code><\/pre>\nmain<\/code>:<\/p>\ngit checkout main\ngit merge feature\/test-oidc-restriction\ngit push origin main<\/code><\/pre>\nmain<\/code> \u064a\u0646\u062c\u062d. \u0647\u0630\u0627 \u064a\u0648\u0636\u062d \u0627\u0644\u062a\u062d\u0643\u0645 \u0641\u064a \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0642\u0627\u0626\u0645 \u0639\u0644\u0649 \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a<\/strong> \u2014 \u062a\u0642\u064a\u0651\u0645 \u0633\u064a\u0627\u0633\u0629 \u0627\u0644\u062b\u0642\u0629 \u0641\u064a AWS \u0627\u0644\u0645\u0637\u0627\u0644\u0628\u0627\u062a \u0627\u0644\u0645\u0636\u0645\u0646\u0629 \u0641\u064a \u0631\u0645\u0632 OIDC \u0644\u0627\u062a\u062e\u0627\u0630 \u0642\u0631\u0627\u0631\u0627\u062a \u0627\u0644\u062a\u0641\u0648\u064a\u0636. \u0644\u0627 \u062a\u0648\u062c\u062f \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f \u0645\u062a\u0636\u0645\u0646\u0629\u061b \u0627\u0644\u0631\u0645\u0632 \u0646\u0641\u0633\u0647 \u064a\u062d\u0645\u0644 \u0633\u064a\u0627\u0642 \u0627\u0644\u062a\u0641\u0648\u064a\u0636.<\/p>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 5: \u0623\u062f\u0648\u0627\u0631 \u0644\u0643\u0644 \u0628\u064a\u0626\u0629<\/h2>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0646\u0634\u0627\u0621 \u0628\u064a\u0626\u0627\u062a GitHub<\/h3>\n
\n
\n
main<\/code> \u0641\u0642\u0637<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0625\u0646\u0634\u0627\u0621 \u062f\u0648\u0631 IAM \u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u062a\u062c\u0647\u064a\u0632<\/h3>\n
{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam::123456789012:oidc-provider\/token.actions.githubusercontent.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"token.actions.githubusercontent.com:aud\": \"sts.amazonaws.com\"\n },\n \"StringLike\": {\n \"token.actions.githubusercontent.com:sub\": \"repo:myorg\/myrepo:*\"\n }\n }\n }\n ]\n}<\/code><\/pre>\naws iam create-role \\\n --role-name github-actions-staging \\\n --assume-role-policy-document file:\/\/staging-trust-policy.json \\\n --description \"Staging deployment role - all branches\"<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 \u062f\u0648\u0631 IAM \u0644\u0644\u0625\u0646\u062a\u0627\u062c<\/h3>\n
production<\/code> \u0639\u0644\u0649 \u0627\u0644\u0641\u0631\u0639 main<\/code>:<\/p>\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam::123456789012:oidc-provider\/token.actions.githubusercontent.com\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"token.actions.githubusercontent.com:aud\": \"sts.amazonaws.com\",\n \"token.actions.githubusercontent.com:sub\": \"repo:myorg\/myrepo:environment:production\"\n }\n }\n }\n ]\n}<\/code><\/pre>\naws iam create-role \\\n --role-name github-actions-production \\\n --assume-role-policy-document file:\/\/production-trust-policy.json \\\n --description \"Production deployment role - main branch + production environment only\"<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4: \u0633\u064a\u0631 \u0639\u0645\u0644 \u0645\u062a\u0639\u062f\u062f \u0627\u0644\u0628\u064a\u0626\u0627\u062a<\/h3>\n
name: Deploy Multi-Environment\n\non:\n push:\n branches: [main]\n\npermissions:\n id-token: write\n contents: read\n\njobs:\n deploy-staging:\n runs-on: ubuntu-latest\n environment: staging\n steps:\n - name: Checkout\n uses: actions\/checkout@v4\n\n - name: Configure AWS Credentials (Staging)\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/github-actions-staging\n role-session-name: staging-${{ github.run_id }}\n aws-region: us-east-1\n\n - name: Deploy to Staging\n run: |\n aws sts get-caller-identity\n echo \"Deploying to staging environment...\"\n # Your staging deployment commands here\n\n deploy-production:\n runs-on: ubuntu-latest\n needs: deploy-staging\n environment: production\n steps:\n - name: Checkout\n uses: actions\/checkout@v4\n\n - name: Configure AWS Credentials (Production)\n uses: aws-actions\/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role\/github-actions-production\n role-session-name: production-${{ github.run_id }}\n aws-region: us-east-1\n\n - name: Deploy to Production\n run: |\n aws sts get-caller-identity\n echo \"Deploying to production environment...\"\n # Your production deployment commands here<\/code><\/pre>\n\n
github-actions-staging<\/code>\u060c \u0648\u062a\u0646\u0634\u0631<\/li>\ngithub-actions-production<\/code>\u060c \u0648\u062a\u0646\u0634\u0631<\/li>\n<\/ol>\nStringEquals<\/code> (\u0648\u0644\u064a\u0633 StringLike<\/code>) \u0645\u0639 \u0627\u0644\u0645\u0648\u0636\u0648\u0639 \u0627\u0644\u062f\u0642\u064a\u0642 repo:myorg\/myrepo:environment:production<\/code>. \u0647\u0630\u0627 \u064a\u0639\u0646\u064a \u0623\u0646 \u0627\u0644\u0648\u0638\u0627\u0626\u0641 \u0627\u0644\u062a\u064a \u062a\u064f\u0639\u0644\u0646 environment: production<\/code> \u0641\u0642\u0637 \u064a\u0645\u0643\u0646\u0647\u0627 \u062a\u0648\u0644\u0651\u064a \u062f\u0648\u0631 \u0627\u0644\u0625\u0646\u062a\u0627\u062c \u2014 \u0648\u062a\u0641\u0631\u0636 GitHub Environments \u0623\u0646 \u0639\u0645\u0644\u064a\u0627\u062a \u0646\u0634\u0631 \u0627\u0644\u0641\u0631\u0639 main<\/code> \u0641\u0642\u0637 \u0645\u0639 \u0645\u0648\u0627\u0641\u0642\u0629 \u0627\u0644\u0645\u0631\u0627\u062c\u0639 \u064a\u0645\u0643\u0646\u0647\u0627 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062a\u0644\u0643 \u0627\u0644\u0628\u064a\u0626\u0629.<\/p>\nTerraform \u0644\u0643\u0644\u0627 \u0627\u0644\u062f\u0648\u0631\u064a\u0646<\/h3>\n
locals {\n github_oidc_arn = aws_iam_openid_connect_provider.github.arn\n github_repo = \"myorg\/myrepo\"\n}\n\n# Staging role - trusts all branches\nresource \"aws_iam_role\" \"github_actions_staging\" {\n name = \"github-actions-staging\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Principal = {\n Federated = local.github_oidc_arn\n }\n Action = \"sts:AssumeRoleWithWebIdentity\"\n Condition = {\n StringEquals = {\n \"token.actions.githubusercontent.com:aud\" = \"sts.amazonaws.com\"\n }\n StringLike = {\n \"token.actions.githubusercontent.com:sub\" = \"repo:${local.github_repo}:*\"\n }\n }\n }\n ]\n })\n}\n\n# Production role - trusts only the production environment\nresource \"aws_iam_role\" \"github_actions_production\" {\n name = \"github-actions-production\"\n\n assume_role_policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [\n {\n Effect = \"Allow\"\n Principal = {\n Federated = local.github_oidc_arn\n }\n Action = \"sts:AssumeRoleWithWebIdentity\"\n Condition = {\n StringEquals = {\n \"token.actions.githubusercontent.com:aud\" = \"sts.amazonaws.com\"\n \"token.actions.githubusercontent.com:sub\" = \"repo:${local.github_repo}:environment:production\"\n }\n }\n }\n ]\n })\n}<\/code><\/pre>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 6: \u0627\u0644\u062a\u062d\u0642\u0642 \u0648\u0627\u0644\u062a\u062f\u0642\u064a\u0642<\/h2>\n
AssumeRoleWithWebIdentity<\/code> \u0645\u0639 \u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0645\u0646 \u0645\u0637\u0627\u0644\u0628\u0627\u062a GitHub OIDC.<\/p>\n\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0627\u0633\u062a\u0639\u0644\u0627\u0645 CloudTrail \u0639\u0646 \u0623\u062d\u062f\u0627\u062b OIDC<\/h3>\n
aws cloudtrail lookup-events \\\n --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRoleWithWebIdentity \\\n --max-results 10 \\\n --query 'Events[].{Time:EventTime,Username:Username,Resources:Resources}' \\\n --output table<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 2: \u0641\u062d\u0635 \u062d\u062f\u062b CloudTrail<\/h3>\n
AssumeRoleWithWebIdentity<\/code> \u0627\u0644\u0646\u0645\u0648\u0630\u062c\u064a \u0641\u064a CloudTrail \u0639\u0644\u0649 \u0627\u0644\u062d\u0642\u0648\u0644 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629:<\/p>\n{\n \"eventName\": \"AssumeRoleWithWebIdentity\",\n \"eventSource\": \"sts.amazonaws.com\",\n \"requestParameters\": {\n \"roleArn\": \"arn:aws:iam::123456789012:role\/github-actions-deploy\",\n \"roleSessionName\": \"github-actions-9876543210\"\n },\n \"requestID\": \"a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\n \"responseElements\": {\n \"credentials\": {\n \"accessKeyId\": \"ASIAEXAMPLE...\",\n \"expiration\": \"Mar 23, 2026 2:00:00 PM\"\n },\n \"subjectFromWebIdentityToken\": \"repo:myorg\/myrepo:ref:refs\/heads\/main\",\n \"provider\": \"arn:aws:iam::123456789012:oidc-provider\/token.actions.githubusercontent.com\"\n },\n \"additionalEventData\": {\n \"WebIdFederationData\": {\n \"federatedProvider\": \"arn:aws:iam::123456789012:oidc-provider\/token.actions.githubusercontent.com\",\n \"attributes\": {\n \"sub\": \"repo:myorg\/myrepo:ref:refs\/heads\/main\",\n \"aud\": \"sts.amazonaws.com\",\n \"iss\": \"https:\/\/token.actions.githubusercontent.com\",\n \"repository\": \"myorg\/myrepo\",\n \"ref\": \"refs\/heads\/main\",\n \"sha\": \"abc123def456...\",\n \"actor\": \"github-username\",\n \"workflow\": \"Deploy (Secure - OIDC)\",\n \"run_id\": \"9876543210\"\n }\n }\n }\n}<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 3: \u0625\u0646\u0634\u0627\u0621 \u0625\u0646\u0630\u0627\u0631 CloudWatch \u0644\u0645\u062d\u0627\u0648\u0644\u0627\u062a AssumeRole \u0627\u0644\u0641\u0627\u0634\u0644\u0629<\/h3>\n
AssumeRoleWithWebIdentity<\/code> \u0627\u0644\u0641\u0627\u0634\u0644\u0629 \u0625\u0644\u0649 \u0645\u062d\u0627\u0648\u0644\u0627\u062a \u0648\u0635\u0648\u0644 \u063a\u064a\u0631 \u0645\u0635\u0631\u062d \u0628\u0647\u0627 \u0623\u0648 \u0633\u064a\u0627\u0633\u0627\u062a \u062b\u0642\u0629 \u062e\u0627\u0637\u0626\u0629 \u0627\u0644\u062a\u0643\u0648\u064a\u0646. \u0642\u0645 \u0628\u0625\u0639\u062f\u0627\u062f \u0641\u0644\u062a\u0631 \u0645\u0642\u064a\u0627\u0633 \u0648\u0625\u0646\u0630\u0627\u0631:<\/p>\n# Create a CloudWatch Logs metric filter for failed AssumeRoleWithWebIdentity\naws logs put-metric-filter \\\n --log-group-name CloudTrail\/DefaultLogGroup \\\n --filter-name FailedOIDCAssumeRole \\\n --filter-pattern '{ ($.eventName = \"AssumeRoleWithWebIdentity\") && ($.errorCode = \"AccessDenied\") }' \\\n --metric-transformations \\\n metricName=FailedOIDCAssumeRoleCount,metricNamespace=SecurityMetrics,metricValue=1\n\n# Create a CloudWatch alarm that triggers when failures exceed threshold\naws cloudwatch put-metric-alarm \\\n --alarm-name FailedOIDCAssumeRole \\\n --alarm-description \"Alert on failed OIDC AssumeRoleWithWebIdentity attempts\" \\\n --metric-name FailedOIDCAssumeRoleCount \\\n --namespace SecurityMetrics \\\n --statistic Sum \\\n --period 300 \\\n --threshold 3 \\\n --comparison-operator GreaterThanOrEqualToThreshold \\\n --evaluation-periods 1 \\\n --alarm-actions arn:aws:sns:us-east-1:123456789012:security-alerts \\\n --treat-missing-data notBreaching<\/code><\/pre>\n\u0627\u0644\u062e\u0637\u0648\u0629 4: \u062a\u062f\u0642\u064a\u0642 \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639\u0627\u062a \u0648\u0627\u0644\u0641\u0631\u0648\u0639 \u0627\u0644\u062a\u064a \u0648\u0635\u0644\u062a \u0625\u0644\u0649 \u0627\u0644\u062f\u0648\u0631<\/h3>\n
# Using CloudTrail lookup to find all OIDC authentications in the last 24 hours\naws cloudtrail lookup-events \\\n --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRoleWithWebIdentity \\\n --start-time $(date -u -d '24 hours ago' '+%Y-%m-%dT%H:%M:%SZ' 2>\/dev\/null || date -u -v-24H '+%Y-%m-%dT%H:%M:%SZ') \\\n --end-time $(date -u '+%Y-%m-%dT%H:%M:%SZ') \\\n --query 'Events[].CloudTrailEvent' \\\n --output text | jq -r '.responseElements.subjectFromWebIdentityToken \/\/ \"N\/A\"' | sort | uniq -c | sort -rn<\/code><\/pre>\n\u0627\u0644\u062a\u0645\u0631\u064a\u0646 7: \u062d\u0630\u0641 \u0645\u0641\u0627\u062a\u064a\u062d \u0627\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0642\u062f\u064a\u0645\u0629<\/h2>\n
\u0627\u0644\u062e\u0637\u0648\u0629 1: \u0625\u0632\u0627\u0644\u0629 \u0623\u0633\u0631\u0627\u0631 GitHub<\/h3>\n
gh secret delete AWS_ACCESS_KEY_ID --repo myorg\/myrepo\ngh secret delete AWS_SECRET_ACCESS_KEY --repo myorg\/myrepo<\/code><\/pre>\ngh secret list --repo myorg\/myrepo<\/code><\/pre>\nAWS_ACCESS_KEY_ID<\/code> \u0623\u0648