The configuration file is broken into 2 separate sections for basic functionality:
# Config Reference:
https://aws.amazon.com/SAML/Attributes/RoleSessionName: '<#= user.github.login #>'
https://aws.amazon.com/SAML/Attributes/Role: '<#= user.selectedRole #>,<#= provider.variables.providerArn #>'
- name: arn:aws:iam::123456789012:role/cnuss-admin
providerssection details Service Providers (e.g. what services can a GitHub Token be used to log in with), for example using AWS Federated Roles.
keyin the aforementioned configuration (e.g.
aws) must match between the
permissionssections. This is how a
permissionrelates back to a particular
It contains information like the Assertion URLs, Entity ID and other SAML attributes.
You can also use some light Substitution Syntax (
<#= ... #>) for injection of variables when a SAML Assertion (i.e. Role Assumption) is requested by a user.
See Service Providers for a detail on supported Service Providers that can be configured in the configuration file.
permissionssection details the Access Control Lists to various Service Providers and Roles.
keyof the Permission (e.g.
aws) must be identical to the
For each role, you can define
repos:in their respective sections. Defining users and repositories is optional, you can define both, or one or the other.
If you use multiple organizations in GitHub that might need to use the same provider in GitHub Actions, you can simply add the specify the Organization Name.
Assuming your GitHub organization is
my-organd you have a repository
my-repothat needs access to the
adminrole, and you have another organization
my-other-orgwith another repository
my-other-repothat needs access to the
adminrole, the configuration would look like this:
- name: arn:aws:iam::123456789012:role/admin
You do not need to be a member or Administrator of the other Organization to make this work!